From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: userns idea: preventing SCM_CREDENTIALS from leaking out
Date: Tue, 26 Nov 2013 19:17:35 -0800 [thread overview]
Message-ID: <87eh62v8hc.fsf@xmission.com> (raw)
In-Reply-To: <20131127014920.GA31364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> (Serge E. Hallyn's message of "Wed, 27 Nov 2013 01:49:20 +0000")
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org):
>> IIUC there are multiple ways to end up with a socket pair for which
>> one end is in a user namespace and the other is outside of it. That
>> means that SCM_CREDENTIALS can be used by a process in a userns to
>> authenticate to a process outside.
>>
>> This is all well and good (and, as far as I know, correct), but I'm
>
> And the cgroup manager I'm starting on depends on this.
>
>> not sure this is always the desired behavior. In the context of a
>> tool like Docker, it might be useful to have several user namespaces
>> that have the *same* uids mapped. Nonetheless, if one of those
>> namespaces is compromised, it probably shouldn't be permitted to
>> attack things outside the user namespace (or in the host, if any
>> interesting uids are mapped).
>>
>> Would it make sense to have an option to allow a user namespace to opt
>> into different behavior so that its users show up as the invalid uid
>> as seen from outside (as least for SCM_CREDENTIALS and SO_PEERCRED)?
>>
>> Implementing this might be awkward (ok, it might actively suck due to
>> a possible need for reference counting), but I'm wondering if it's a
>> good idea even in principle.
>
> Well, I'll grant you, if I have a single directory with a socket in
> it, and I make that the aufs or overlayfs underlay for two separate
> mounts, which each are in different containers, then you might have
> a problem here.
>
> Now maybe the answer to that is that the sockets should be created
> in tmpfss (/run, /tmp, etc) anyway. But the more I think about it
> the more I, unfortunately, agree that this could be a problem.
I really hate the concept of mapping a uid in some contexts and not
others. That seems very prone to go wrong. Given all of the possible
kinds of perumutations I can't imagine how we would get it correct.
MS_NOSUID and MS_RDONLY will help with some of the worst offenders.
But it will still be possible for the user namespace root to call
setuid(NNN); and create a process with that uid. And if a unix domain
socket isn't the only means of interacting there will still be problems.
I will suggest that writing a uid mapping filesystem like overlayfs or
perhaps as a mount option of overlayfs is likely to be a more robuse
solution in general. Certainly that is what I originally had on the
drawing board to solve this class of problem.
Eric
next prev parent reply other threads:[~2013-11-27 3:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-27 1:02 userns idea: preventing SCM_CREDENTIALS from leaking out Andy Lutomirski
[not found] ` <CALCETrWWSVnwg6Sb=bZz0xuAj_ASjZmsLYy=ELoR_uSqKJJaWg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 1:33 ` Eric W. Biederman
2013-11-27 1:49 ` Serge E. Hallyn
[not found] ` <20131127014920.GA31364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 3:17 ` Eric W. Biederman [this message]
[not found] ` <87eh62v8hc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 14:44 ` Serge E. Hallyn
[not found] ` <20131127144431.GA6122-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 16:24 ` Andy Lutomirski
[not found] ` <CALCETrVXKHO4=Q+0szERmte+5HYJMwVXnXJxLTdBThmoQMMPcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 16:26 ` Serge E. Hallyn
[not found] ` <20131127162626.GA7358-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 16:37 ` Andy Lutomirski
2013-11-27 16:56 ` Miklos Szeredi
[not found] ` <CAJfpeguHPFcX07bM=+3JJrV1kanDxp5wZWj4jBo-+1EMceonqg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 17:54 ` Andy Lutomirski
2013-11-27 18:47 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eh62v8hc.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.