From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Larsson <alexl@redhat.com>,
gnome-os-list@gnome.org,
Linux Containers <containers@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
mclasen@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
Date: Tue, 31 Mar 2015 17:08:06 +0300 [thread overview]
Message-ID: <1427810886.2117.129.camel@HansenPartnership.com> (raw)
In-Reply-To: <CALCETrU1vKf3fXPt8nS-ABDgfp8NxrFjHwTc68rA0rtvg2Lufg@mail.gmail.com>
On Tue, 2015-03-31 at 06:59 -0700, Andy Lutomirski wrote:
> On Tue, Mar 31, 2015 at 6:55 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Tue, 2015-03-31 at 06:44 -0700, Andy Lutomirski wrote:
> >> On Tue, Mar 31, 2015 at 6:23 AM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Tue, 2015-03-31 at 06:12 -0700, Andy Lutomirski wrote:
> >> >> On Tue, Mar 31, 2015 at 6:07 AM, James Bottomley
> >> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> >> > On Tue, 2015-03-31 at 09:57 +0200, Alexander Larsson wrote:
> >> >> >> On fre, 2015-03-27 at 10:03 +0100, James Bottomley
> >> >> >> >
> >> >> >> > > On Fri, Feb 20, 2015 at 5:04 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> >> >> >> > > > It's currently impossible to mount devpts in a user namespace that
> >> >> >> > > > has no root user, since ptmx can't be created.
> >> >> >> >
> >> >> >> > This is where I stopped reading because it's not true ... because it is
> >> >> >> > possible, you just do it from the host as real root.
> >> >> >>
> >> >> >> The point is being able to set up a container as a user, not requiring
> >> >> >> the setup to be run as root at all. In my case container is a desktop
> >> >> >> application which will be started by the user, and will run as the user.
> >> >> >> There is no root involved in the call chain at all.
> >> >> >
> >> >> > I don't really like that use case: Most container setups are under the
> >> >> > control of an orchestration system (like LXC, OpenVZ or even Docker).
> >> >> > You typically get the orchestration system to do the dangerous
> >> >> > operations (mount being one of the bigger dangers) because it has the
> >> >> > capacity to vet them. I can see the value in allowing a user to set up
> >> >> > a container without an oversight system, but at the same time you're
> >> >> > increasing the security vulnerability of the system. Security is often
> >> >> > a result of policy, so now this embeds policy into the kernel. I
> >> >> > strongly feel we should define the list of things we expect an
> >> >> > unsupervised (as in with no orchestration system) container to do and
> >> >> > then revisit this once we've given it some thought.
> >> >>
> >> >> Try thinking "sandbox", not "container". The ability to create
> >> >> sandboxes without some root-installed orchestration is incredibly
> >> >> valuable.
> >> >
> >> > A container is anything that uses the various container APIs (mostly
> >> > cgroups and namespaces), so the set of possible containers overlaps the
> >> > set of possible sandboxes.
> >> >
> >> >> In any event, this ship sailed quite awhile ago. devpts is one of the
> >> >> smallish number of important missing features.
> >> >
> >> > I'm not saying "don't do it" I'm saying think carefully about the
> >> > allowable features we permit an unprivileged user to take advantage of.
> >> > This one feels strange to me in that you're asking to give an
> >> > unprivileged user in a container more abilities than an unprivileged
> >> > user outside a container (a non-root user can't mount /dev/ptmx today).
> >> > This would mean that every unprivileged container user can now interfere
> >> > with the tty subsystem.
> >>
> >> That is true, but this is already the case. The current code is:
> >>
> >> root_uid = make_kuid(current_user_ns(), 0);
> >> root_gid = make_kgid(current_user_ns(), 0);
> >>
> >> Unprivileged tasks can make a userns and map themselves as "0" inside,
> >> at which point the code I quoted will work fine. The failure only
> >> happens if they opt not to map anything at all as "0", as many
> >> sandboxes will do.
> >
> > Yes, I know. However remember we use containers to host VPSs which
> > themselves can have non-root users. I don't want a non root user inside
> > the VPS to be able to muck with the tty subsystem. Your patch allows
> > that.
>
> I don't think that this is correct. That user can already create a
> nested userns and map themselves as 0 inside it. Then they can mount
> devpts.
I don't mind if they create a container and control the isolated ttys in
that sub container in the VPS; that's fine. I do mind if they get
access to the ttys in the VPS.
If you can convince me (and the rest of Linux) that the tty subsystem
should be mountable by an unprivileged user generally, then what you
propose is OK.
James
next prev parent reply other threads:[~2015-03-31 14:08 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-21 1:04 [PATCH] devpts: Add ptmx_uid and ptmx_gid options Andy Lutomirski
2015-03-26 19:29 ` Andy Lutomirski
2015-03-27 9:03 ` James Bottomley
2015-03-31 7:57 ` Alexander Larsson
2015-03-31 13:06 ` Andy Lutomirski
2015-03-31 13:07 ` James Bottomley
2015-03-31 13:11 ` Alexander Larsson
2015-03-31 13:12 ` Andy Lutomirski
2015-03-31 13:23 ` James Bottomley
2015-03-31 13:44 ` Andy Lutomirski
2015-03-31 13:55 ` James Bottomley
2015-03-31 13:59 ` Andy Lutomirski
2015-03-31 14:08 ` James Bottomley [this message]
2015-03-31 14:17 ` Alexander Larsson
2015-04-02 10:12 ` James Bottomley
2015-04-02 14:06 ` Andy Lutomirski
2015-04-02 14:29 ` Alexander Larsson
2015-04-02 14:33 ` Andy Lutomirski
2015-04-02 15:49 ` Serge Hallyn
2015-04-02 18:27 ` Eric W. Biederman
2015-05-27 21:32 ` Andy Lutomirski
2015-05-28 16:44 ` Eric W. Biederman
2015-05-28 17:01 ` Alexander Larsson
2015-05-28 17:14 ` Eric W. Biederman
2015-05-28 17:35 ` Alexander Larsson
2015-05-28 20:06 ` Alexander Larsson
2015-05-28 20:17 ` Kenton Varda
2015-05-28 21:50 ` Eric W. Biederman
2015-05-28 17:30 ` Andy Lutomirski
2015-05-28 19:42 ` Eric W. Biederman
2016-03-08 4:59 ` Andy Lutomirski
2016-03-08 9:16 ` Alexander Larsson
2016-03-08 18:17 ` Andy Lutomirski
2015-05-18 21:04 ` Alexander Larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1427810886.2117.129.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=alexl@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=gnome-os-list@gnome.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mclasen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).