Trusted Path Execution (TPE) is a protection which restricts the execution of files under certain circumstances determined by their path. Using it will make privilege escalation harder when an account restricted by TPE is compromised as the attacker won't be able to execute custom binaries which are not in the trusted path.
You can also enable a weaker restriction which will prevent race conditions on code executed by non root users. This weaker condition makes non-root users able to run only executables on directories owned by them or root and writeable only by the owner.
To explain how TPE works we will first explain what each kernel option does, and then show the results with an example.
Here TPE is disabled. So it won't won't affect the executable permissions.
-> Security options
-> Grsecurity
-> Grsecurity
-> Executable Protections
[ ] Trusted Path Execution (TPE)
Here we use the minimal setup of TPE. With it all the users in the group with the indicated GID (100 by default) will be able to execute only files in root owned directories writable only by root (and nothing more).
-> Security options
-> Grsecurity
-> Grsecurity
-> Executable Protections
[*] Trusted Path Execution (TPE)
[ ] Partially restrict all non-root users
[ ] Invert GID option
(100) GID for untrusted users
Now we also enable the partial restriction, this means that now aside from the previous restriction, we now add another for the non-root users not affected by it which will allow execution only in root owned directories writable only by root and directories owned by the executing user which aren't group writable nor world writable (and nothing more).
-> Security options
-> Grsecurity
-> Grsecurity
-> Executable Protections
[*] Trusted Path Execution (TPE)
[*] Partially restrict all non-root users
[ ] Invert GID option
(100) GID for untrusted users
Now, we enabled the invert GID option, so now all the users not in the group with the indicated GID (100 by default) will be able to execute only files in root owned directories writable only by root (and nothing more).
-> Security options
-> Grsecurity
-> Grsecurity
-> Executable Protections
[*] Trusted Path Execution (TPE)
[ ] Partially restrict all non-root users
[*] Invert GID option
(100) GID for trusted users
Again we also enable the partial restriction, this means that now aside from the previous restriction, we now add another for the non-root users not affected by it which will allow execution only in root owned directories writable only by root and directories owned by the executing user which aren't group writable nor world writable (and nothing more).
-> Security options
-> Grsecurity
-> Grsecurity
-> Executable Protections
[*] Trusted Path Execution (TPE)
[*] Partially restrict all non-root users
[*] Invert GID option
(100) GID for trusted users
To make things even clearer we have executed a small test suite on each of the possible setups.
The test suite consist of a series of directories with different names each with different permissions and ownership. These directories have exactly the same contents: a set of files again with different permissions and ownership each. The files are just a simple bash script printing OK.
.: total 48 drwxr-xr-x 2 root root 4096 ene 6 22:51 01 drwxr-xrwx 2 root root 4096 ene 6 22:51 02 drwxrwxr-x 2 root root 4096 ene 6 22:51 03 drwxrwxrwx 2 root root 4096 ene 6 22:51 04 drwxr-xr-x 2 user1 user1 4096 ene 6 22:51 05 drwxr-xrwx 2 user1 user1 4096 ene 6 22:51 06 drwxrwxr-x 2 user1 user1 4096 ene 6 22:51 07 drwxrwxrwx 2 user1 user1 4096 ene 6 22:51 08 drwxr-xr-x 2 user2 user2 4096 ene 6 22:51 09 drwxr-xrwx 2 user2 user2 4096 ene 6 22:51 10 drwxrwxr-x 2 user2 user2 4096 ene 6 22:51 11 drwxrwxrwx 2 user2 user2 4096 ene 6 22:51 12 ./01: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./02: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./03: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./04: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./05: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./06: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./07: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./08: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./09: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./10: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./11: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12 ./12: total 48 -rwxrwxrwx 1 root root 22 ene 6 22:59 01 -rwxr-xrwx 1 root root 22 ene 6 22:59 02 -rwxrwxr-x 1 root root 22 ene 6 22:59 03 -rwxr-xr-x 1 root root 22 ene 6 22:59 04 -rwxrwxrwx 1 user2 user2 22 ene 6 22:59 05 -rwxr-xrwx 1 user2 user2 22 ene 6 22:59 06 -rwxrwxr-x 1 user2 user2 22 ene 6 22:59 07 -rwxr-xr-x 1 user2 user2 22 ene 6 22:59 08 -rwxrwxrwx 1 user1 user1 22 ene 6 22:59 09 -rwxr-xrwx 1 user1 user1 22 ene 6 22:59 10 -rwxrwxr-x 1 user1 user1 22 ene 6 22:59 11 -rwxr-xr-x 1 user1 user1 22 ene 6 22:59 12
Below are the results for each execution attempt on each of the presented setups. user1 is in the group set by the GID, while user2 isn't. A YES means the file indicated was executable by the indicated user in the indicated setup. A NO means the permission to execute the file was denied.
| Directory | File | Setup 1 | Setup 2 | Setup 3 | Setup 4 | Setup 5 | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| user1 | user2 | user1 | user2 | user1 | user2 | user1 | user2 | user1 | user2 | ||
| 01 | 01 | ||||||||||
| 01 | 02 | ||||||||||
| 01 | 03 | ||||||||||
| 01 | 04 | ||||||||||
| 01 | 05 | ||||||||||
| 01 | 06 | ||||||||||
| 01 | 07 | ||||||||||
| 01 | 08 | ||||||||||
| 01 | 09 | ||||||||||
| 01 | 10 | ||||||||||
| 01 | 11 | ||||||||||
| 01 | 12 | ||||||||||
| 02 | 01 | ||||||||||
| 02 | 02 | ||||||||||
| 02 | 03 | ||||||||||
| 02 | 04 | ||||||||||
| 02 | 05 | ||||||||||
| 02 | 06 | ||||||||||
| 02 | 07 | ||||||||||
| 02 | 08 | ||||||||||
| 02 | 09 | ||||||||||
| 02 | 10 | ||||||||||
| 02 | 11 | ||||||||||
| 02 | 12 | ||||||||||
| 03 | 01 | ||||||||||
| 03 | 02 | ||||||||||
| 03 | 03 | ||||||||||
| 03 | 04 | ||||||||||
| 03 | 05 | ||||||||||
| 03 | 06 | ||||||||||
| 03 | 07 | ||||||||||
| 03 | 08 | ||||||||||
| 03 | 09 | ||||||||||
| 03 | 10 | ||||||||||
| 03 | 11 | ||||||||||
| 03 | 12 | ||||||||||
| 04 | 01 | ||||||||||
| 04 | 02 | ||||||||||
| 04 | 03 | ||||||||||
| 04 | 04 | ||||||||||
| 04 | 05 | ||||||||||
| 04 | 06 | ||||||||||
| 04 | 07 | ||||||||||
| 04 | 08 | ||||||||||
| 04 | 09 | ||||||||||
| 04 | 10 | ||||||||||
| 04 | 11 | ||||||||||
| 04 | 12 | ||||||||||
| 05 | 01 | ||||||||||
| 05 | 02 | ||||||||||
| 05 | 03 | ||||||||||
| 05 | 04 | ||||||||||
| 05 | 05 | ||||||||||
| 05 | 06 | ||||||||||
| 05 | 07 | ||||||||||
| 05 | 08 | ||||||||||
| 05 | 09 | ||||||||||
| 05 | 10 | ||||||||||
| 05 | 11 | ||||||||||
| 05 | 12 | ||||||||||
| 06 | 01 | ||||||||||
| 06 | 02 | ||||||||||
| 06 | 03 | ||||||||||
| 06 | 04 | ||||||||||
| 06 | 05 | ||||||||||
| 06 | 06 | ||||||||||
| 06 | 07 | ||||||||||
| 06 | 08 | ||||||||||
| 06 | 09 | ||||||||||
| 06 | 10 | ||||||||||
| 06 | 11 | ||||||||||
| 06 | 12 | ||||||||||
| 07 | 01 | ||||||||||
| 07 | 02 | ||||||||||
| 07 | 03 | ||||||||||
| 07 | 04 | ||||||||||
| 07 | 05 | ||||||||||
| 07 | 06 | ||||||||||
| 07 | 07 | ||||||||||
| 07 | 08 | ||||||||||
| 07 | 09 | ||||||||||
| 07 | 10 | ||||||||||
| 07 | 11 | ||||||||||
| 07 | 12 | ||||||||||
| 08 | 01 | ||||||||||
| 08 | 02 | ||||||||||
| 08 | 03 | ||||||||||
| 08 | 04 | ||||||||||
| 08 | 05 | ||||||||||
| 08 | 06 | ||||||||||
| 08 | 07 | ||||||||||
| 08 | 08 | ||||||||||
| 08 | 09 | ||||||||||
| 08 | 10 | ||||||||||
| 08 | 11 | ||||||||||
| 08 | 12 | ||||||||||
| 09 | 01 | ||||||||||
| 09 | 02 | ||||||||||
| 09 | 03 | ||||||||||
| 09 | 04 | ||||||||||
| 09 | 05 | ||||||||||
| 09 | 06 | ||||||||||
| 09 | 07 | ||||||||||
| 09 | 08 | ||||||||||
| 09 | 09 | ||||||||||
| 09 | 10 | ||||||||||
| 09 | 11 | ||||||||||
| 09 | 12 | ||||||||||
| 10 | 01 | ||||||||||
| 10 | 02 | ||||||||||
| 10 | 03 | ||||||||||
| 10 | 04 | ||||||||||
| 10 | 05 | ||||||||||
| 10 | 06 | ||||||||||
| 10 | 07 | ||||||||||
| 10 | 08 | ||||||||||
| 10 | 09 | ||||||||||
| 10 | 10 | ||||||||||
| 10 | 11 | ||||||||||
| 10 | 12 | ||||||||||
| 11 | 01 | ||||||||||
| 11 | 02 | ||||||||||
| 11 | 03 | ||||||||||
| 11 | 04 | ||||||||||
| 11 | 05 | ||||||||||
| 11 | 06 | ||||||||||
| 11 | 07 | ||||||||||
| 11 | 08 | ||||||||||
| 11 | 09 | ||||||||||
| 11 | 10 | ||||||||||
| 11 | 11 | ||||||||||
| 11 | 12 | ||||||||||
| 12 | 01 | ||||||||||
| 12 | 02 | ||||||||||
| 12 | 03 | ||||||||||
| 12 | 04 | ||||||||||
| 12 | 05 | ||||||||||
| 12 | 06 | ||||||||||
| 12 | 07 | ||||||||||
| 12 | 08 | ||||||||||
| 12 | 09 | ||||||||||
| 12 | 10 | ||||||||||
| 12 | 11 | ||||||||||
| 12 | 12 | ||||||||||
As we can see the results are not dependent on the files ownership or permissions but on the directories ones. Below is a summed up more readable table. Remember thaat user1 is in the group set by the GID, while user2 isn't and that a YES means the files in the dir were executable by the indicated user in the indicated setup. A NO means the permission to execute the files was denied.
| Directory | Permissions | Owner | Group | Setup 1 | Setup 2 | Setup 3 | Setup 4 | Setup 5 | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| user1 | user2 | user1 | user2 | user1 | user2 | user1 | user2 | user1 | user2 | ||||
| 01 | |||||||||||||
| 02 | |||||||||||||
| 03 | |||||||||||||
| 04 | |||||||||||||
| 05 | |||||||||||||
| 06 | |||||||||||||
| 07 | |||||||||||||
| 08 | |||||||||||||
| 09 | |||||||||||||
| 10 | |||||||||||||
| 11 | |||||||||||||
| 12 | |||||||||||||
We have shown how TPE makes file execution more restrictive. We also have shown that the partial setting will apply to all the user not matched by the GID condition. And we finally showed that TPE restrictions only depend on the permissions and ownership of the directory containing the executable and not on the ones of the executable itself, so an executable owned by other user can still be modified by that user.