From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stanislav Kinsbursky <skinsbursky@parallels.com>
Subject: Re: [RFC PATCH] fs: call_usermodehelper_root helper introduced
Date: Thu, 23 May 2013 12:07:57 +0400
Message-ID: <519DCE5D.6070204@parallels.com>
References: <20130522072840.27720.85023.stgit@localhost.localdomain> <878v36ex6n.fsf@xmission.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1251;
	format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: <viro@zeniv.linux.org.uk>, <serge.hallyn@canonical.com>,
	<jlayton@redhat.com>, <lucas.demarchi@profusion.mobi>,
	<rusty@rustcorp.com.au>, <linux-kernel@vger.kernel.org>,
	<oleg@redhat.com>, <bfields@fieldses.org>, <bharrosh@panasas.com>,
	<linux-fsdevel@vger.kernel.org>, <akpm@linux-foundation.org>,
	<devel@openvz.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from relay.parallels.com ([195.214.232.42]:40904 "EHLO
	relay.parallels.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751274Ab3EWII1 (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 23 May 2013 04:08:27 -0400
In-Reply-To: <878v36ex6n.fsf@xmission.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

22.05.2013 21:33, Eric W. Biederman =EF=E8=F8=E5=F2:
> Stanislav Kinsbursky <skinsbursky@parallels.com> writes:
>
>> Usermode helper executes all binaries in global "init" root context.=
 This
>> doesn't allow to call a binary from other root context (for example =
in a
>> container).
>> Currently, both containerized NFS client and NFS server requires an =
ability to
>> execute a binary in a container's root context. Root swap can be don=
e in
>> "init" callback, passed by UMH caller.
>> But since we have 2 callers already (and more of them are expected t=
o appear
>> in future) and because set_fs_root() in not exported, it looks reaso=
nable to
>> add one more generic UMH helper to generic fs code.
>> Root path reference must be hold by the caller, since it will be put=
 on UMH
>> thread exit.
>
> Awesome.  With this patch as an uprivilieged user I get to pick which
> binary the kernel will execute.  At least if nfs and nfsd ever runs i=
n a
> user namespace (something that looks like only matter of time).
>

Not really. Only by using a kernel module to call the UMH.
And an unprivileged can't load a module as far a I know.
I.e. NFSd, for example, will use unprivileged user's root to perform th=
is call.

> I think this is a seriously bad idea.
>
> Why can't we do this in userspace with setns as we do with the core d=
ump
> helper?
>

Could you, please, clarify, how setns can help here?

> I am missing a lot of context here and capturing the context of a
> process at time time we mount the filesystem and reconstituing it in
> call user mode helper seems like something we could do.
>
> This patch as it stands looks like it would compete for the honor of =
the
> easiest kernel feature to exploit.
>

Hmmm...
As far as I can see (maybe I'm missing something), there main security =
issue that could be here
is allowing of using any passed root to swap to.
What about using the current root instead of passed one? I.e. taking th=
e root to swap to inside the UMH.
Does this keeps the isolation on the same level?

> Eric
>


--=20
Best regards,
Stanislav Kinsbursky
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel=
" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html