* 3.0: user namespace problem with capabilities
@ 2011-07-21 12:22 Arkadiusz Miskiewicz
2011-07-21 13:40 ` Serge E. Hallyn
0 siblings, 1 reply; 2+ messages in thread
From: Arkadiusz Miskiewicz @ 2011-07-21 12:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Serge E. Hallyn, Herbert Poetzl
Hi,
linux-vserver guys think that there is a problem with user namespace in
upcoming 3.0
"this is a mainline/upstream bug, which basically happens
when unsharing the USER namespace. what happens is that
all capabilities are dropped, and as result, the userspace
tool cannot issue Linux-VServer syscall commands anymore
(because of missing CAP_CONTEXT)"
"this can be verified on vanilla linux-3.0 kernels with
http://vserver.13thfloor.at/Stuff/clone_newuser.c
in the following way:
gcc -o clone_newuser clone_newuser.c
./clone_newuser ls /root/
assuming that /root does not have any right for 'other'
this will result in a permission denied (when the USER
namespace is compiled into the kernel)"
Whole post:
http://list.linux-vserver.org/archive?msp:5151:ekldgndhkgmehnehiegi
What's maintainers opinion on this?
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: 3.0: user namespace problem with capabilities
2011-07-21 12:22 3.0: user namespace problem with capabilities Arkadiusz Miskiewicz
@ 2011-07-21 13:40 ` Serge E. Hallyn
0 siblings, 0 replies; 2+ messages in thread
From: Serge E. Hallyn @ 2011-07-21 13:40 UTC (permalink / raw)
To: Arkadiusz Miskiewicz; +Cc: linux-kernel, Herbert Poetzl
Quoting Arkadiusz Miskiewicz (a.miskiewicz@gmail.com):
>
> Hi,
>
> linux-vserver guys think that there is a problem with user namespace in
> upcoming 3.0
>
> "this is a mainline/upstream bug, which basically happens
> when unsharing the USER namespace. what happens is that
> all capabilities are dropped, and as result, the userspace
> tool cannot issue Linux-VServer syscall commands anymore
> (because of missing CAP_CONTEXT)"
>
> "this can be verified on vanilla linux-3.0 kernels with
> http://vserver.13thfloor.at/Stuff/clone_newuser.c
> in the following way:
>
> gcc -o clone_newuser clone_newuser.c
> ./clone_newuser ls /root/
>
> assuming that /root does not have any right for 'other'
> this will result in a permission denied (when the USER
> namespace is compiled into the kernel)"
>
> Whole post:
>
> http://list.linux-vserver.org/archive?msp:5151:ekldgndhkgmehnehiegi
>
> What's maintainers opinion on this?
See http://wiki.ubuntu.com/UserNamespace for details on what's
going on. See the recent patchset at https://lkml.org/lkml/2011/7/12/377
to see (and help speed up) the next steps. After that patchset, I
need to address passing userids in siginfos and other uid comparisons,
and then, at least, comes VFS support. The speed with which it can be
completed depends in part upon my time, and largely on the amount
of time reviewers have. This stuff is obviously highly critical
security-relevant code, and needs to be very well reviewed and tested
at each step.
(See also http://forum.openvz.org/index.php?t=msg&th=9374&goto=41543&#msg_41543
for the email I sent to containers@, libvirt@, and other lists before
beginning to solicit NACKs in advance)
-serge
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-21 13:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-21 12:22 3.0: user namespace problem with capabilities Arkadiusz Miskiewicz
2011-07-21 13:40 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox