From: Karel Zak <kzak@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: util-linux@vger.kernel.org, Lubomir Rintel <lkundrak@v3.sk>
Subject: Re: [RFC][PATCH] unshare: Fix --map-root-user to work on new kernels
Date: Fri, 19 Dec 2014 11:07:49 +0100 [thread overview]
Message-ID: <20141219100749.GJ19904@x2.net.home> (raw)
In-Reply-To: <87sigdkglg.fsf@x220.int.ebiederm.org>
On Wed, Dec 17, 2014 at 05:21:31PM -0600, Eric W. Biederman wrote:
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
> > I have just merged a security fix into the linux kernel that corrects an
> > oversight in the permission checks of /proc/self/gid_map.
> >
> > The root of the issue is that unix allows anyone to specify permissions
> > such like: --rwx---rwx on a file, and setgroups call at login time
> > allows seting groups that even setgid exectuables don't drop. Which
> > results in the ability to assign a process fewer privileges just because
> > it is in a specified group, and this makes dropping groups an unsafe
> > operation.
> >
> > Therefore unprivileged writing of /proc/self/gid_map has been disabled
> > unless /proc/self/setgroups is written first to permanently disable the
> > ability to call setgroups in that user namespace.
What does it mean "allow" in /proc/self/setgroups?
If I good understand than /proc/self/gid_map is unwritable until the
setgroups file is set to "deny", and "allow" means that gid_map is
disabled at all, but setgroup() syscall is possible to use in the
user namespace. Right?
> > In part this design was chosen so that applications that are affected
> > will break early instead of late, and in part to make it clear to
> > everyone what is going on.
> >
> > I think for the experimental tool that is unshare --make-root-user we
> > just want to flip the bit and be done with it (patch below).
> >
> > However we may want to require an additional option to clear setgroups,
> > if there loging type applications running that call setgroups and having
> > explicit breakage up front instead of more silent stealthy breakage
> > when the application runs is desired.
> >
> > If we don't want any extra options working tested code is below.
Do you mean "unshare --setgroups-allow"?
(And it has to be mutually exclusive to --map-root-user.)
IMHO it's good idea to make it possible to control this feature by
unshare util.
> This may also have some affect on the setgroups(0, NULL) case of
> nsenter as well.
Definitely yes, if I good understand then the best way is to read
/proc/self/setgroups to check for "allow" before we call setgroups().
Now we call it all time (for --setguid).
I can write the patches.
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next prev parent reply other threads:[~2014-12-19 10:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-17 23:06 [RFC][PATCH] unshare: Fix --map-root-user to work on new kernels Eric W. Biederman
2014-12-17 23:21 ` Eric W. Biederman
2014-12-19 10:07 ` Karel Zak [this message]
2014-12-19 12:28 ` Eric W. Biederman
2014-12-19 13:20 ` Karel Zak
2015-01-08 11:13 ` Karel Zak
2015-01-08 16:12 ` Eric W. Biederman
2015-01-09 9:39 ` Karel Zak
2015-01-08 11:59 ` Karel Zak
2015-01-08 15:41 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141219100749.GJ19904@x2.net.home \
--to=kzak@redhat.com \
--cc=ebiederm@xmission.com \
--cc=lkundrak@v3.sk \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.