From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Larsson <alexl@redhat.com>,
gnome-os-list@gnome.org,
Linux Containers <containers@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
mclasen@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
Date: Thu, 2 Apr 2015 15:49:27 +0000 [thread overview]
Message-ID: <20150402154927.GB3808@ubuntumail> (raw)
In-Reply-To: <CALCETrWYit+WiAM6DFm0enGeJN==uWNC63zXp_zRSsSJg2YGPg@mail.gmail.com>
Quoting Andy Lutomirski (luto@amacapital.net):
> On Thu, Apr 2, 2015 at 7:29 AM, Alexander Larsson <alexl@redhat.com> wrote:
> > On Thu, 2015-04-02 at 07:06 -0700, Andy Lutomirski wrote:
> >> On Thu, Apr 2, 2015 at 3:12 AM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Tue, 2015-03-31 at 16:17 +0200, Alexander Larsson wrote:
> >> >> On tis, 2015-03-31 at 17:08 +0300, James Bottomley wrote:
> >> >> > On Tue, 2015-03-31 at 06:59 -0700, Andy Lutomirski wrote:
> >> >> > >
> >> >> > > I don't think that this is correct. That user can already create a
> >> >> > > nested userns and map themselves as 0 inside it. Then they can mount
> >> >> > > devpts.
> >> >> >
> >> >> > I don't mind if they create a container and control the isolated ttys in
> >> >> > that sub container in the VPS; that's fine. I do mind if they get
> >> >> > access to the ttys in the VPS.
> >> >> >
> >> >> > If you can convince me (and the rest of Linux) that the tty subsystem
> >> >> > should be mountable by an unprivileged user generally, then what you
> >> >> > propose is OK.
> >> >>
> >> >> That is controlled by the general rights to mount stuff. I.e. unless you
> >> >> have CAP_SYS_ADMIN in the VPS container you will not be able to mount
> >> >> devpts there. You can only do it in a subcontainer where you got
> >> >> permissions to mount via using user namespaces.
> >> >
> >> > OK let me try again. Fine, if you want to speak capabilities, you've
> >> > given a non-root user an unexpected capability (the capability of
> >> > creating a ptmx device). But you haven't used a capability separation
> >> > to do this, you've just hard coded it via a mount parameter mechanism.
> >> >
> >> > If you want to do this thing, do it properly, so it's acceptable to the
> >> > whole of Linux, not a special corner case for one particular type of
> >> > container.
> >> >
> >> > Security breaches are created when people code in special, little used,
> >> > corner cases because they don't get as thoroughly tested and inspected
> >> > as generally applicable mechanisms.
> >> >
> >> > What you want is to be able to use the tty subsystem as a non root user:
> >> > fine, but set that up globally, don't hide it in containers so a lot
> >> > fewer people care.
> >>
> >> I tend to agree, and not just for the tty subsystem. This is an
> >> attack surface issue. With unprivileged user namespaces, unprivileged
> >> users can create mount namespaces (probably a good thing for bind
> >> mounts, etc), network namespaces (reasonably safe by themselves),
> >> network interfaces and iptables rules (scary), fresh
> >> instances/superblocks of some filesystems (scariness depends on the fs
> >> -- tmpfs is probably fine), and more.
> >>
> >> I think we should have real controls for this, and this is mostly
> >> Eric's domain. Eric? A silly issue that sometimes prevents devpts
> >> from being mountable isn't a real control, though.
> >
> > I'm honestly surprised that non-root is allowed to mount things in
> > general with user namespaces. This was long disabled use for non-root in
> > Fedora, but it is now enabled.
> >
> > For instance, using loopback mounted files you could probably attack
> > some of the less well tested filesystem implementations by feeding them
> > fuzzed data.
> >
>
> You actually can't do that right now. Filesystems have to opt in to
> being mounted in unprivileged user namespaces, and no filesystems with
> backing stores have opted in. devpts has, but it's buggy without this
> patch IMO.
>
> > Anyway, I don't see how this affects devpts though. If you're running in
> > a container (or uncontained), as a regular users with no mount
> > capabilities you can already mount a devpts filesystem if you create a
> > subbcontainer with user namespaces and map your uid to 0 in the
> > subcontainer. Then you get a new ptmx device that you can do whatever
> > you want with. The mount option would let you do the same, except be
> > your regular uid in the subcontainer.
> >
> > The only difference outside of the subcontainer is that if the outer
> > container has no uid 0 mapped, yet the user has CAP_SYSADMIN rights in
> > that container. Then he can mount devpts in the outer container where he
> > before could only mount it in an inner container.
> >
>
> Agreed. Also, devpts doesn't seem scary at all to me from a userns
> perspective. Regular users on normal systems can already use ptmx,
> and AFAICS basically all of the attack surface is already available
> through the normal /dev/ptmx node.
I've been ignoring this thread bc I was pretty sure I had acked the
original patch. If you don't have a record of that (or I'm plain wrong
and never did) please let me know.
next prev parent reply other threads:[~2015-04-02 15:49 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-21 1:04 [PATCH] devpts: Add ptmx_uid and ptmx_gid options Andy Lutomirski
2015-03-26 19:29 ` Andy Lutomirski
2015-03-27 9:03 ` James Bottomley
2015-03-31 7:57 ` Alexander Larsson
2015-03-31 13:06 ` Andy Lutomirski
2015-03-31 13:07 ` James Bottomley
2015-03-31 13:11 ` Alexander Larsson
2015-03-31 13:12 ` Andy Lutomirski
2015-03-31 13:23 ` James Bottomley
2015-03-31 13:44 ` Andy Lutomirski
2015-03-31 13:55 ` James Bottomley
2015-03-31 13:59 ` Andy Lutomirski
2015-03-31 14:08 ` James Bottomley
2015-03-31 14:17 ` Alexander Larsson
2015-04-02 10:12 ` James Bottomley
2015-04-02 14:06 ` Andy Lutomirski
2015-04-02 14:29 ` Alexander Larsson
2015-04-02 14:33 ` Andy Lutomirski
2015-04-02 15:49 ` Serge Hallyn [this message]
2015-04-02 18:27 ` Eric W. Biederman
2015-05-27 21:32 ` Andy Lutomirski
2015-05-28 16:44 ` Eric W. Biederman
2015-05-28 17:01 ` Alexander Larsson
2015-05-28 17:14 ` Eric W. Biederman
2015-05-28 17:35 ` Alexander Larsson
2015-05-28 20:06 ` Alexander Larsson
2015-05-28 20:17 ` Kenton Varda
2015-05-28 21:50 ` Eric W. Biederman
2015-05-28 17:30 ` Andy Lutomirski
2015-05-28 19:42 ` Eric W. Biederman
2016-03-08 4:59 ` Andy Lutomirski
2016-03-08 9:16 ` Alexander Larsson
2016-03-08 18:17 ` Andy Lutomirski
2015-05-18 21:04 ` Alexander Larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150402154927.GB3808@ubuntumail \
--to=serge.hallyn@ubuntu.com \
--cc=alexl@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=gnome-os-list@gnome.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mclasen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).