From: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: James Bottomley
<James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
LSM List
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: Keyrings, user namespaces and the user_struct
Date: Wed, 26 Oct 2016 15:34:50 +0100 [thread overview]
Message-ID: <9243.1477492490@warthog.procyon.org.uk> (raw)
In-Reply-To: <CALCETrU0PqNYmWx70pugkhj-kAD5DSzSi3swhK+v12WMYZYUZA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote:
> > | Not just questionable, completely wrong. The gist is that there is a
> > | *global* name -> key mapping for accessing keys by name, and user
> > | keyrings are stored in there under the name "_uid.%u", where %u
> > | refers to the *namespaced* UID. (See install_user_keyrings().)
> > | The result is that, if e.g. the user with UID 1000 has no running
> > | processes, a local attacker can enter a new user namespace, map UID
> > | 1000 in the namespace to some KUID he controls, do
> > | setresuid(1000, 1000, 1000), and now he owns user 1000's keyring.
Hmmm... Having checked over the code, it might not be that simple. Thanks to
something Eric Biederman added into find_keyring_by_name(), unless a keyring's
UID is a member of the current user namespace, you can't find that keyring by
name.
However, I'm not sure that that stops someone trying to find it by colliding
kuids since keys can't pin the user_struct without causing a loop.
Further, if the user_struct referring to a user (or user-session) keyring gets
deallocated, it drops its link to that keyring - though that's no guarantee
that the user keyrings will be deallocated themselves (there may be links from
elsewhere).
I'm wondering if I should move the user keyrings out of the user_struct so
that keys can pin the user_struct (and I could then merge the key_user struct
into it).
The user-keyring and user-session keyring could be kept in the user's
persistent keyring or in their own tree in the user namespace. The former
would allow their easy reuse within a certain amount of time and the latter
would allow them to be easily revoked when the user_namespace struct is
destroyed.
I think Eric's patch to move the keyring list into the user_namespace struct
rather than having it be global is also a good step.
David
next prev parent reply other threads:[~2016-10-26 14:34 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161026143856.GL3334@pc.thejh.net>
[not found] ` <CALCETrU0PqNYmWx70pugkhj-kAD5DSzSi3swhK+v12WMYZYUZA@mail.gmail.com>
[not found] ` <17576.1477412418@warthog.procyon.org.uk>
[not found] ` <17576.1477412418-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 16:41 ` Keyrings, user namespaces and the user_struct Jann Horn
2016-10-25 16:49 ` James Bottomley
2016-10-25 16:53 ` David Howells
[not found] ` <18335.1477414412-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 16:56 ` James Bottomley
2016-10-26 7:18 ` José Bollo
[not found] ` <1477414605.3079.40.camel@HansenPartnership.com>
[not found] ` <1477414605.3079.40.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 17:06 ` Jann Horn
2016-10-25 17:30 ` David Howells
[not found] ` <20161025170602.GB24481@laptop.thejh.net>
[not found] ` <20161025170602.GB24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:05 ` James Bottomley
[not found] ` <1477418708.3079.52.camel@HansenPartnership.com>
[not found] ` <1477418708.3079.52.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 18:17 ` Jann Horn
[not found] ` <20161025181735.GC24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:21 ` James Bottomley
2016-10-25 19:34 ` Andy Lutomirski
[not found] ` <CALCETrU0PqNYmWx70pugkhj-kAD5DSzSi3swhK+v12WMYZYUZA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-25 20:41 ` David Howells
2016-10-26 14:34 ` David Howells [this message]
[not found] ` <9243.1477492490-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-26 14:38 ` Jann Horn
[not found] ` <20161026143856.GL3334-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-10-26 14:48 ` David Howells
[not found] ` <9610.1477493338-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-26 18:10 ` Eric W. Biederman
[not found] ` <87mvhrrng3.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 18:35 ` David Howells
[not found] ` <3677.1477506925-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-27 16:11 ` David Howells
2016-10-27 16:18 ` Eric W. Biederman
[not found] ` <20947.1477428095@warthog.procyon.org.uk>
[not found] ` <20947.1477428095-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 20:51 ` James Bottomley
2016-10-26 5:54 ` Eric W. Biederman
[not found] ` <87shrju031.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 6:48 ` Eric W. Biederman
[not found] ` <18846.1477416621@warthog.procyon.org.uk>
[not found] ` <18846.1477416621-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 18:13 ` James Bottomley
[not found] ` <1477419204.3079.60.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 18:22 ` Jann Horn
[not found] ` <20161025182206.GD24481@laptop.thejh.net>
[not found] ` <20161025182206.GD24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:25 ` James Bottomley
2016-10-26 4:45 ` Eric W. Biederman
[not found] ` <87y41bvhui.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 7:37 ` David Howells
2016-10-26 4:38 ` Eric W. Biederman
2016-10-26 11:43 ` David Howells
2016-10-25 16:20 David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9243.1477492490@warthog.procyon.org.uk \
--to=dhowells-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox