From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: Requirements for CAP_SYS_ADMIN on setns() ?
Date: Thu, 06 Jun 2013 11:15:11 -0700 [thread overview]
Message-ID: <87bo7j6r80.fsf@xmission.com> (raw)
In-Reply-To: <20130606164428.GA4687-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org> (Serge E. Hallyn's message of "Thu, 6 Jun 2013 11:44:28 -0500")
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>> Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes:
>>
>> > Quoting Daniel P. Berrange (berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
>> >> Is it not sufficient to rely on the permissions on the /proc/$PID/ns/XXX
>> >> file to control access to a namespace, and thus allow setns() without
>> >> a CAP_SYS_ADMIN check ?
The permissions on /proc/$PID/ns/XXX are sufficient to control access
but they are not ok to allow use.
>> >> ie setns() is basically useless unless you
>> >> already have sufficient privileges to get a file descriptor for the
>> >> namespace, so why does setns need an additional privilege check beyond
>> >> that done at time of open() on the proc file.
To be very clear.
setns requires CAP_SYS_ADMIN because changing the namespaces for your
children can result in tricking a suid root application and thus lead
to privilege escalation.
If you run setns inside a user namespace that you control the privilege
escalation is not possible and so setns is allowed.
Eric
next prev parent reply other threads:[~2013-06-06 18:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-06 10:01 Requirements for CAP_SYS_ADMIN on setns() ? Daniel P. Berrange
[not found] ` <20130606100149.GG30217-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-06 13:48 ` Serge Hallyn
2013-06-06 16:26 ` Eric W. Biederman
[not found] ` <87txlb8atb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-06 16:44 ` Serge E. Hallyn
[not found] ` <20130606164428.GA4687-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-06 18:15 ` Eric W. Biederman [this message]
[not found] ` <87bo7j6r80.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-07 9:34 ` Daniel P. Berrange
[not found] ` <20130607093459.GB10742-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-07 19:18 ` Eric W. Biederman
2013-06-08 19:54 ` Rob Landley
2013-06-09 5:33 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bo7j6r80.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox