From: ebiederm@xmission.com (Eric W. Biederman)
To: <util-linux@vger.kernel.org>
Cc: Karel Zak <kzak@redhat.com>, Lubomir Rintel <lkundrak@v3.sk>
Subject: Re: [RFC][PATCH] unshare: Fix --map-root-user to work on new kernels
Date: Wed, 17 Dec 2014 17:21:31 -0600 [thread overview]
Message-ID: <87sigdkglg.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <87zjalkhb8.fsf@x220.int.ebiederm.org> (Eric W. Biederman's message of "Wed, 17 Dec 2014 17:06:03 -0600")
ebiederm@xmission.com (Eric W. Biederman) writes:
> I have just merged a security fix into the linux kernel that corrects an
> oversight in the permission checks of /proc/self/gid_map.
>
> The root of the issue is that unix allows anyone to specify permissions
> such like: --rwx---rwx on a file, and setgroups call at login time
> allows seting groups that even setgid exectuables don't drop. Which
> results in the ability to assign a process fewer privileges just because
> it is in a specified group, and this makes dropping groups an unsafe
> operation.
>
> Therefore unprivileged writing of /proc/self/gid_map has been disabled
> unless /proc/self/setgroups is written first to permanently disable the
> ability to call setgroups in that user namespace.
>
> In part this design was chosen so that applications that are affected
> will break early instead of late, and in part to make it clear to
> everyone what is going on.
>
> I think for the experimental tool that is unshare --make-root-user we
> just want to flip the bit and be done with it (patch below).
>
> However we may want to require an additional option to clear setgroups,
> if there loging type applications running that call setgroups and having
> explicit breakage up front instead of more silent stealthy breakage
> when the application runs is desired.
>
> If we don't want any extra options working tested code is below.
This may also have some affect on the setgroups(0, NULL) case of
nsenter as well.
Eric
next prev parent reply other threads:[~2014-12-17 23:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-17 23:06 [RFC][PATCH] unshare: Fix --map-root-user to work on new kernels Eric W. Biederman
2014-12-17 23:21 ` Eric W. Biederman [this message]
2014-12-19 10:07 ` Karel Zak
2014-12-19 12:28 ` Eric W. Biederman
2014-12-19 13:20 ` Karel Zak
2015-01-08 11:13 ` Karel Zak
2015-01-08 16:12 ` Eric W. Biederman
2015-01-09 9:39 ` Karel Zak
2015-01-08 11:59 ` Karel Zak
2015-01-08 15:41 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sigdkglg.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=kzak@redhat.com \
--cc=lkundrak@v3.sk \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.