From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps.
Date: Fri, 14 Dec 2012 10:12:53 -0800 [thread overview]
Message-ID: <87r4ms5wpm.fsf@xmission.com> (raw)
In-Reply-To: <20121214161514.GA9962-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> (Serge E. Hallyn's message of "Fri, 14 Dec 2012 16:15:14 +0000")
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>>
>> > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>> >> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>> >>
>> >> > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>> >> >>
>> >> >> Andy Lutomirski pointed out that the current behavior of allowing the
>> >> >> owner of a user namespace to have all caps when that owner is not in a
>> >> >> parent user namespace is wrong.
>> >> >
>> >> > To make sure I understand right, the issue is when a uid is mapped
>> >> > into multiple namespaces.
>> >>
>> >> Yes.
>> >>
>> >> i.e. uid 1000 in ns1 may own ns2, but uid 1000 in ns3 does not?
>> >>
>> >> I am not certain of your example.
>> >>
>> >> The simple case is:
>> >>
>> >> init_user_ns:
>> >> child_user_ns1 (owned by uid == 0 [in all user namespaces])
>> >> child_user_ns2 (owned by uid == 0 [ in all user namespaces])
>> >>
>> >>
>> >> root (uid == 0) in child_user_ns2 has all rights over anything in
>> >> child_user_ns1.
>> >
>> > Well that is only if there was no mapping. (since we're comparing
>> > kuids, not uid_ts). right? If you didn't map uid 0 in child_user_ns2
>> > to another id in the parent ns, you weren't all *that* serious about
>> > isolating the ns.
>> >
>> > The case I was thinking is
>> >
>> > init_user_ns: [0-uidmax]
>> > child_user_ns1 [100000-199999]
>> > child_user_ns2 [100000-199999]
>> > child_user_ns3 [200000-299999]
>
> Wait is my example above possible? Or does child_user_ns3's range need
> to be a subset of child_user_ns2's?
>
> In which case it would be
>
> child_user_ns1 [100000-199999]
> child_user_ns2 [100000-199999]
> child_user_ns3 [120000-129999]
>
Yes. You have to nest uids.
>> > with unfortunate mappings - ns1 and ns2 should have had nonoverlapping
>> > ranges, but in any case now uid 1000 in ns1 can exert privilege over
>> > ns3. Again, uids comparisons will succeed for file access anyway, so
>> > ns1 can 0wn ns2 and ns3 other ways.
>>
>> Yes yours is the more realistic scenario. Mine was simplified to be clear.
>>
>> > Heck I'm starting to think the bug is a feature - surely given the
>> > mappings above I meant for ns1 and ns2 to bleed privilege to each
>> > other?
>>
>> The serious problem is that privileges can bleed up. A user in
>> ns3 can wind up owning ns2 or ns1. Which totally defeats the permission
>> model. You have CAP_DAC_OVERRIDE so you don't even need access to files
>> you own, etc, etc.
>
> Would that not require intervention from the init_user_ns? In my
> example above (let's add that ns2 is owned by kuid.uid=1000 in
> init_user_ns), root in child_user_ns2 cannot map kuid.val=0 or
> kuid.val=1000 into ns3 because 0 and 1000 are not in the range
> 100000-199999. So there is no uid in child_user_ns3 which is able
> to spoof uid=0 in child_user_ns1.
Right. It does require having the uid of the owner of ns1 or ns2 in
ns3. So you have to explicitly allow it.
What I don't see is any point in allowing something like that.
After taking a second look I just realized that this is completely
unexploitable with the code that is currently merged. As creating
a grand child user namespace is competelely impossible. Creating
a user namespace is requires capable(CAP_SYS_ADMIN) which is never
present in anything but the initial user namespace.
That said I think the current semantics of cap_capable are completely
fatal to reasoning about user namespaces.
A child user namespace having capabilities against processes in it's
parent seems totally bizarre and pretty dangerous from a capabilities
standpoint.
That said Serge I think I have lost track of the point of your question.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps.
Date: Fri, 14 Dec 2012 10:12:53 -0800 [thread overview]
Message-ID: <87r4ms5wpm.fsf@xmission.com> (raw)
In-Reply-To: <20121214161514.GA9962@mail.hallyn.com> (Serge E. Hallyn's message of "Fri, 14 Dec 2012 16:15:14 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> Quoting Eric W. Biederman (ebiederm@xmission.com):
>> "Serge E. Hallyn" <serge@hallyn.com> writes:
>>
>> > Quoting Eric W. Biederman (ebiederm@xmission.com):
>> >> "Serge E. Hallyn" <serge@hallyn.com> writes:
>> >>
>> >> > Quoting Eric W. Biederman (ebiederm@xmission.com):
>> >> >>
>> >> >> Andy Lutomirski pointed out that the current behavior of allowing the
>> >> >> owner of a user namespace to have all caps when that owner is not in a
>> >> >> parent user namespace is wrong.
>> >> >
>> >> > To make sure I understand right, the issue is when a uid is mapped
>> >> > into multiple namespaces.
>> >>
>> >> Yes.
>> >>
>> >> i.e. uid 1000 in ns1 may own ns2, but uid 1000 in ns3 does not?
>> >>
>> >> I am not certain of your example.
>> >>
>> >> The simple case is:
>> >>
>> >> init_user_ns:
>> >> child_user_ns1 (owned by uid == 0 [in all user namespaces])
>> >> child_user_ns2 (owned by uid == 0 [ in all user namespaces])
>> >>
>> >>
>> >> root (uid == 0) in child_user_ns2 has all rights over anything in
>> >> child_user_ns1.
>> >
>> > Well that is only if there was no mapping. (since we're comparing
>> > kuids, not uid_ts). right? If you didn't map uid 0 in child_user_ns2
>> > to another id in the parent ns, you weren't all *that* serious about
>> > isolating the ns.
>> >
>> > The case I was thinking is
>> >
>> > init_user_ns: [0-uidmax]
>> > child_user_ns1 [100000-199999]
>> > child_user_ns2 [100000-199999]
>> > child_user_ns3 [200000-299999]
>
> Wait is my example above possible? Or does child_user_ns3's range need
> to be a subset of child_user_ns2's?
>
> In which case it would be
>
> child_user_ns1 [100000-199999]
> child_user_ns2 [100000-199999]
> child_user_ns3 [120000-129999]
>
Yes. You have to nest uids.
>> > with unfortunate mappings - ns1 and ns2 should have had nonoverlapping
>> > ranges, but in any case now uid 1000 in ns1 can exert privilege over
>> > ns3. Again, uids comparisons will succeed for file access anyway, so
>> > ns1 can 0wn ns2 and ns3 other ways.
>>
>> Yes yours is the more realistic scenario. Mine was simplified to be clear.
>>
>> > Heck I'm starting to think the bug is a feature - surely given the
>> > mappings above I meant for ns1 and ns2 to bleed privilege to each
>> > other?
>>
>> The serious problem is that privileges can bleed up. A user in
>> ns3 can wind up owning ns2 or ns1. Which totally defeats the permission
>> model. You have CAP_DAC_OVERRIDE so you don't even need access to files
>> you own, etc, etc.
>
> Would that not require intervention from the init_user_ns? In my
> example above (let's add that ns2 is owned by kuid.uid=1000 in
> init_user_ns), root in child_user_ns2 cannot map kuid.val=0 or
> kuid.val=1000 into ns3 because 0 and 1000 are not in the range
> 100000-199999. So there is no uid in child_user_ns3 which is able
> to spoof uid=0 in child_user_ns1.
Right. It does require having the uid of the owner of ns1 or ns2 in
ns3. So you have to explicitly allow it.
What I don't see is any point in allowing something like that.
After taking a second look I just realized that this is completely
unexploitable with the code that is currently merged. As creating
a grand child user namespace is competelely impossible. Creating
a user namespace is requires capable(CAP_SYS_ADMIN) which is never
present in anything but the initial user namespace.
That said I think the current semantics of cap_capable are completely
fatal to reasoning about user namespaces.
A child user namespace having capabilities against processes in it's
parent seems totally bizarre and pretty dangerous from a capabilities
standpoint.
That said Serge I think I have lost track of the point of your question.
Eric
next prev parent reply other threads:[~2012-12-14 18:12 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-11 21:17 [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Eric W. Biederman
2012-12-11 21:17 ` Eric W. Biederman
[not found] ` <87ip88uw4n.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-13 19:24 ` Andy Lutomirski
2012-12-13 19:24 ` Andy Lutomirski
[not found] ` <50CA2B55.5070402-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2012-12-13 22:01 ` Eric W. Biederman
2012-12-13 22:01 ` Eric W. Biederman
2012-12-13 22:39 ` [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps Eric W. Biederman
[not found] ` <87zk1hshk7.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-13 22:43 ` Linus Torvalds
2012-12-13 22:43 ` Linus Torvalds
[not found] ` <CA+55aFwXnFEFXbkwFPq9xt30xp2_6jfpBLd3E2bms79KKK=V1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-13 22:55 ` Eric W. Biederman
2012-12-13 22:55 ` Eric W. Biederman
2012-12-13 23:21 ` Andy Lutomirski
2012-12-14 3:28 ` Serge E. Hallyn
2012-12-13 23:21 ` Andy Lutomirski
2012-12-14 2:33 ` Eric W. Biederman
2012-12-14 2:36 ` Andy Lutomirski
2012-12-14 3:20 ` [PATCH] " Eric W. Biederman
[not found] ` <CALCETrXRYOh2tkwB+U9ZjA5BNZwscWsq1WGzjP3wUiOXQUXOQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-14 3:20 ` Eric W. Biederman
[not found] ` <876245jrbc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-14 2:36 ` [RFC][PATCH] " Andy Lutomirski
[not found] ` <CALCETrXLLcUu8Rajjx7+3N_6j5E0T0CR1h=hD+gcc5_r4Umyqw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-14 2:33 ` Eric W. Biederman
2012-12-14 3:28 ` Serge E. Hallyn
[not found] ` <20121214032820.GA5115-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-14 3:32 ` Eric W. Biederman
2012-12-14 3:32 ` Eric W. Biederman
[not found] ` <87bodxi9zw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-14 15:26 ` Serge E. Hallyn
2012-12-14 15:26 ` Serge E. Hallyn
[not found] ` <20121214152607.GA9266-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-14 15:47 ` Eric W. Biederman
2012-12-14 15:47 ` Eric W. Biederman
[not found] ` <87bodwd4aw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-14 16:15 ` Serge E. Hallyn
2012-12-14 16:15 ` Serge E. Hallyn
[not found] ` <20121214161514.GA9962-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-14 18:12 ` Eric W. Biederman [this message]
2012-12-14 18:12 ` Eric W. Biederman
[not found] ` <87r4ms5wpm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-14 18:43 ` Linus Torvalds
2012-12-14 18:43 ` Linus Torvalds
2012-12-14 18:47 ` Andy Lutomirski
2012-12-14 20:50 ` Serge E. Hallyn
[not found] ` <CA+55aFw5CMf0-o=yDt2Rj-SYH4pfW1L9QbNb6uKHEdzAyYcvGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-14 18:47 ` Andy Lutomirski
2012-12-14 20:50 ` Serge E. Hallyn
2012-12-14 21:43 ` Eric W. Biederman
2012-12-14 21:43 ` Eric W. Biederman
2012-12-14 20:29 ` Serge E. Hallyn
2012-12-14 20:29 ` Serge E. Hallyn
[not found] ` <20121214202921.GA11450-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-14 22:32 ` Eric W. Biederman
2012-12-14 22:32 ` Eric W. Biederman
[not found] ` <87bodww9hv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-15 0:14 ` Serge E. Hallyn
2012-12-15 0:14 ` Serge E. Hallyn
[not found] ` <87mwxhtxve.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-13 22:39 ` Eric W. Biederman
2012-12-13 23:02 ` [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Andy Lutomirski
2012-12-13 23:02 ` Andy Lutomirski
[not found] ` <CALCETrWxXZ1OzZeH_SGeg1E16rssxBwg+hjG09N5dkqweVKeRA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-14 4:11 ` Eric W. Biederman
2012-12-14 4:11 ` Eric W. Biederman
[not found] ` <87mwxhff2e.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-14 5:34 ` Andy Lutomirski
2012-12-14 5:34 ` Andy Lutomirski
[not found] ` <CALCETrXagfjy4o0_JCZpMfdocYK-MpOp3eH-tPZhgazvJAy-EQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-14 17:48 ` Eric W. Biederman
2012-12-14 17:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r4ms5wpm.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.