Re: userns idea: preventing SCM_CREDENTIALS from leaking out

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Linux Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
	Serge Hallyn
	<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Subject: Re: userns idea: preventing SCM_CREDENTIALS from leaking out
Date: Tue, 26 Nov 2013 17:33:33 -0800	[thread overview]
Message-ID: <8738miwrv6.fsf@xmission.com> (raw)
In-Reply-To: <CALCETrWWSVnwg6Sb=bZz0xuAj_ASjZmsLYy=ELoR_uSqKJJaWg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Andy Lutomirski's message of "Tue, 26 Nov 2013 17:02:17 -0800")

Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> writes:

> IIUC there are multiple ways to end up with a socket pair for which
> one end is in a user namespace and the other is outside of it.  That
> means that SCM_CREDENTIALS can be used by a process in a userns to
> authenticate to a process outside.
>
> This is all well and good (and, as far as I know, correct), but I'm
> not sure this is always the desired behavior. 

Preventing a socket pair in contexts where it is not desired is straight
forward so I don't think in general this is a problem.

> In the context of a
> tool like Docker, it might be useful to have several user namespaces
> that have the *same* uids mapped.  Nonetheless, if one of those
> namespaces is compromised, it probably shouldn't be permitted to
> attack things outside the user namespace (or in the host, if any
> interesting uids are mapped).
>
> Would it make sense to have an option to allow a user namespace to opt
> into different behavior so that its users show up as the invalid uid
> as seen from outside (as least for SCM_CREDENTIALS and SO_PEERCRED)?
>
> Implementing this might be awkward (ok, it might actively suck due to
> a possible need for reference counting), but I'm wondering if it's a
> good idea even in principle.

For an idea like this I would really need to see a motivating example,
especially as adding complexity simple makes the analysis of security
properites worse.

As for uid mappings my expectation is that an ordinary user will get
about 10,000 uids that are all reserved for that users.  Which means
that in general there is no excuse for using uids in different
containers for different users.

The only case I can think of for having the same uids mapped is when
we want to share code between containers.  In that case I would suggest
making the directories read-only and ensuring there are no executables
are suid or sgid.  Which prevents the problem you are worrying about.

Eric

next prev parent reply	other threads:[~2013-11-27  1:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-27  1:02 userns idea: preventing SCM_CREDENTIALS from leaking out Andy Lutomirski
     [not found] ` <CALCETrWWSVnwg6Sb=bZz0xuAj_ASjZmsLYy=ELoR_uSqKJJaWg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27  1:33   ` Eric W. Biederman [this message]
2013-11-27  1:49   ` Serge E. Hallyn
     [not found]     ` <20131127014920.GA31364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27  3:17       ` Eric W. Biederman
     [not found]         ` <87eh62v8hc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 14:44           ` Serge E. Hallyn
     [not found]             ` <20131127144431.GA6122-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 16:24               ` Andy Lutomirski
     [not found]                 ` <CALCETrVXKHO4=Q+0szERmte+5HYJMwVXnXJxLTdBThmoQMMPcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 16:26                   ` Serge E. Hallyn
     [not found]                     ` <20131127162626.GA7358-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 16:37                       ` Andy Lutomirski
2013-11-27 16:56                   ` Miklos Szeredi
     [not found]                     ` <CAJfpeguHPFcX07bM=+3JJrV1kanDxp5wZWj4jBo-+1EMceonqg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 17:54                       ` Andy Lutomirski
2013-11-27 18:47                       ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8738miwrv6.fsf@xmission.com \
    --to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
    --cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.