From: Rob Landley <rob-VoJi6FS/r0vR7s880joybQ@public.gmane.org>
To: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: Requirements for CAP_SYS_ADMIN on setns() ?
Date: Sat, 08 Jun 2013 14:54:09 -0500 [thread overview]
Message-ID: <1370721249.2776.87@driftwood> (raw)
In-Reply-To: <20130607093459.GB10742-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> (from berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org on Fri Jun 7 04:34:59 2013)
Waaaay behind on my email...
On 06/07/2013 04:34:59 AM, Daniel P. Berrange wrote:
> On Thu, Jun 06, 2013 at 11:15:11AM -0700, Eric W. Biederman wrote:
> > "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
> > setns requires CAP_SYS_ADMIN because changing the namespaces for
> your
> > children can result in tricking a suid root application and thus
> lead
> > to privilege escalation.
>
> Yep, ok I see that from the example shown earlier in the thread.
>
> > If you run setns inside a user namespace that you control the
> privilege
> > escalation is not possible and so setns is allowed.
>
> What are the privilege requirements for being able to call setns() on
> a user namespace FD ?
>
> Thinking some more, if there was a setpidns(pid_t containerpid)
> syscall
> which unconditionally joined the caller to all namespaces associated
> with
> the target pid, then you'd not have the security risk described,
> right ?
Sounds like you want a reparent_to_init() that works for a container's
init.
Rob
next prev parent reply other threads:[~2013-06-08 19:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-06 10:01 Requirements for CAP_SYS_ADMIN on setns() ? Daniel P. Berrange
[not found] ` <20130606100149.GG30217-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-06 13:48 ` Serge Hallyn
2013-06-06 16:26 ` Eric W. Biederman
[not found] ` <87txlb8atb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-06 16:44 ` Serge E. Hallyn
[not found] ` <20130606164428.GA4687-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-06 18:15 ` Eric W. Biederman
[not found] ` <87bo7j6r80.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-07 9:34 ` Daniel P. Berrange
[not found] ` <20130607093459.GB10742-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-07 19:18 ` Eric W. Biederman
2013-06-08 19:54 ` Rob Landley [this message]
2013-06-09 5:33 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370721249.2776.87@driftwood \
--to=rob-voji6fs/r0vr7s880joybq@public.gmane.org \
--cc=berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox