From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps.
Date: Fri, 14 Dec 2012 16:15:14 +0000 [thread overview]
Message-ID: <20121214161514.GA9962@mail.hallyn.com> (raw)
In-Reply-To: <87bodwd4aw.fsf@xmission.com>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
> > Quoting Eric W. Biederman (ebiederm@xmission.com):
> >> "Serge E. Hallyn" <serge@hallyn.com> writes:
> >>
> >> > Quoting Eric W. Biederman (ebiederm@xmission.com):
> >> >>
> >> >> Andy Lutomirski pointed out that the current behavior of allowing the
> >> >> owner of a user namespace to have all caps when that owner is not in a
> >> >> parent user namespace is wrong.
> >> >
> >> > To make sure I understand right, the issue is when a uid is mapped
> >> > into multiple namespaces.
> >>
> >> Yes.
> >>
> >> i.e. uid 1000 in ns1 may own ns2, but uid 1000 in ns3 does not?
> >>
> >> I am not certain of your example.
> >>
> >> The simple case is:
> >>
> >> init_user_ns:
> >> child_user_ns1 (owned by uid == 0 [in all user namespaces])
> >> child_user_ns2 (owned by uid == 0 [ in all user namespaces])
> >>
> >>
> >> root (uid == 0) in child_user_ns2 has all rights over anything in
> >> child_user_ns1.
> >
> > Well that is only if there was no mapping. (since we're comparing
> > kuids, not uid_ts). right? If you didn't map uid 0 in child_user_ns2
> > to another id in the parent ns, you weren't all *that* serious about
> > isolating the ns.
> >
> > The case I was thinking is
> >
> > init_user_ns: [0-uidmax]
> > child_user_ns1 [100000-199999]
> > child_user_ns2 [100000-199999]
> > child_user_ns3 [200000-299999]
Wait is my example above possible? Or does child_user_ns3's range need
to be a subset of child_user_ns2's?
In which case it would be
child_user_ns1 [100000-199999]
child_user_ns2 [100000-199999]
child_user_ns3 [120000-129999]
> > with unfortunate mappings - ns1 and ns2 should have had nonoverlapping
> > ranges, but in any case now uid 1000 in ns1 can exert privilege over
> > ns3. Again, uids comparisons will succeed for file access anyway, so
> > ns1 can 0wn ns2 and ns3 other ways.
>
> Yes yours is the more realistic scenario. Mine was simplified to be clear.
>
> > Heck I'm starting to think the bug is a feature - surely given the
> > mappings above I meant for ns1 and ns2 to bleed privilege to each
> > other?
>
> The serious problem is that privileges can bleed up. A user in
> ns3 can wind up owning ns2 or ns1. Which totally defeats the permission
> model. You have CAP_DAC_OVERRIDE so you don't even need access to files
> you own, etc, etc.
Would that not require intervention from the init_user_ns? In my
example above (let's add that ns2 is owned by kuid.uid=1000 in
init_user_ns), root in child_user_ns2 cannot map kuid.val=0 or
kuid.val=1000 into ns3 because 0 and 1000 are not in the range
100000-199999. So there is no uid in child_user_ns3 which is able
to spoof uid=0 in child_user_ns1.
-serge
next prev parent reply other threads:[~2012-12-14 16:10 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-11 21:17 [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Eric W. Biederman
2012-12-13 19:24 ` Andy Lutomirski
2012-12-13 22:01 ` Eric W. Biederman
2012-12-13 22:39 ` [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps Eric W. Biederman
2012-12-13 22:43 ` Linus Torvalds
2012-12-13 22:55 ` Eric W. Biederman
2012-12-13 23:21 ` Andy Lutomirski
2012-12-14 2:33 ` Eric W. Biederman
2012-12-14 2:36 ` Andy Lutomirski
2012-12-14 3:20 ` [PATCH] " Eric W. Biederman
2012-12-14 3:28 ` [RFC][PATCH] " Serge E. Hallyn
2012-12-14 3:32 ` Eric W. Biederman
2012-12-14 15:26 ` Serge E. Hallyn
2012-12-14 15:47 ` Eric W. Biederman
2012-12-14 16:15 ` Serge E. Hallyn [this message]
2012-12-14 18:12 ` Eric W. Biederman
2012-12-14 18:43 ` Linus Torvalds
2012-12-14 18:47 ` Andy Lutomirski
2012-12-14 20:50 ` Serge E. Hallyn
2012-12-14 21:43 ` Eric W. Biederman
2012-12-14 20:29 ` Serge E. Hallyn
2012-12-14 22:32 ` Eric W. Biederman
2012-12-15 0:14 ` Serge E. Hallyn
2012-12-13 23:02 ` [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Andy Lutomirski
2012-12-14 4:11 ` Eric W. Biederman
2012-12-14 5:34 ` Andy Lutomirski
2012-12-14 17:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121214161514.GA9962@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).