From: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: Requirements for CAP_SYS_ADMIN on setns() ?
Date: Fri, 7 Jun 2013 10:34:59 +0100 [thread overview]
Message-ID: <20130607093459.GB10742@redhat.com> (raw)
In-Reply-To: <87bo7j6r80.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
On Thu, Jun 06, 2013 at 11:15:11AM -0700, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>
> > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> >> Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes:
> >>
> >> > Quoting Daniel P. Berrange (berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> >> >> Is it not sufficient to rely on the permissions on the /proc/$PID/ns/XXX
> >> >> file to control access to a namespace, and thus allow setns() without
> >> >> a CAP_SYS_ADMIN check ?
>
> The permissions on /proc/$PID/ns/XXX are sufficient to control access
> but they are not ok to allow use.
>
> >> >> ie setns() is basically useless unless you
> >> >> already have sufficient privileges to get a file descriptor for the
> >> >> namespace, so why does setns need an additional privilege check beyond
> >> >> that done at time of open() on the proc file.
>
> To be very clear.
>
> setns requires CAP_SYS_ADMIN because changing the namespaces for your
> children can result in tricking a suid root application and thus lead
> to privilege escalation.
Yep, ok I see that from the example shown earlier in the thread.
> If you run setns inside a user namespace that you control the privilege
> escalation is not possible and so setns is allowed.
What are the privilege requirements for being able to call setns() on
a user namespace FD ?
Thinking some more, if there was a setpidns(pid_t containerpid) syscall
which unconditionally joined the caller to all namespaces associated with
the target pid, then you'd not have the security risk described, right ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2013-06-07 9:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-06 10:01 Requirements for CAP_SYS_ADMIN on setns() ? Daniel P. Berrange
[not found] ` <20130606100149.GG30217-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-06 13:48 ` Serge Hallyn
2013-06-06 16:26 ` Eric W. Biederman
[not found] ` <87txlb8atb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-06 16:44 ` Serge E. Hallyn
[not found] ` <20130606164428.GA4687-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-06 18:15 ` Eric W. Biederman
[not found] ` <87bo7j6r80.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-07 9:34 ` Daniel P. Berrange [this message]
[not found] ` <20130607093459.GB10742-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-07 19:18 ` Eric W. Biederman
2013-06-08 19:54 ` Rob Landley
2013-06-09 5:33 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130607093459.GB10742@redhat.com \
--to=berrange-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox