From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Rob Landley <rob-VoJi6FS/r0vR7s880joybQ@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Subject: Re: Requirements for CAP_SYS_ADMIN on setns() ?
Date: Sat, 08 Jun 2013 22:33:12 -0700 [thread overview]
Message-ID: <87y5ajzw4n.fsf@xmission.com> (raw)
In-Reply-To: <1370721249.2776.87@driftwood> (Rob Landley's message of "Sat, 08 Jun 2013 14:54:09 -0500")
Rob Landley <rob-VoJi6FS/r0vR7s880joybQ@public.gmane.org> writes:
> Waaaay behind on my email...
>
> On 06/07/2013 04:34:59 AM, Daniel P. Berrange wrote:
>> On Thu, Jun 06, 2013 at 11:15:11AM -0700, Eric W. Biederman wrote:
>> > "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>> > setns requires CAP_SYS_ADMIN because changing the namespaces for
>> your
>> > children can result in tricking a suid root application and thus
>> lead
>> > to privilege escalation.
>>
>> Yep, ok I see that from the example shown earlier in the thread.
>>
>> > If you run setns inside a user namespace that you control the
>> privilege
>> > escalation is not possible and so setns is allowed.
>>
>> What are the privilege requirements for being able to call setns() on
>> a user namespace FD ?
>>
>> Thinking some more, if there was a setpidns(pid_t containerpid)
>> syscall
>> which unconditionally joined the caller to all namespaces associated
>> with
>> the target pid, then you'd not have the security risk described,
>> right ?
>
> Sounds like you want a reparent_to_init() that works for a container's
> init.
setns on all of the namespaces effectively gives you that ability. You
probably want to play with cgroups and a few other similar things. And
there is a utility in util-linux that automates at least the namespace
portion of this called nsenter.
Eric
prev parent reply other threads:[~2013-06-09 5:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-06 10:01 Requirements for CAP_SYS_ADMIN on setns() ? Daniel P. Berrange
[not found] ` <20130606100149.GG30217-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-06 13:48 ` Serge Hallyn
2013-06-06 16:26 ` Eric W. Biederman
[not found] ` <87txlb8atb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-06 16:44 ` Serge E. Hallyn
[not found] ` <20130606164428.GA4687-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-06 18:15 ` Eric W. Biederman
[not found] ` <87bo7j6r80.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-07 9:34 ` Daniel P. Berrange
[not found] ` <20130607093459.GB10742-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-07 19:18 ` Eric W. Biederman
2013-06-08 19:54 ` Rob Landley
2013-06-09 5:33 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y5ajzw4n.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=rob-VoJi6FS/r0vR7s880joybQ@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox