From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps.
Date: Fri, 14 Dec 2012 20:29:21 +0000 [thread overview]
Message-ID: <20121214202921.GA11450@mail.hallyn.com> (raw)
In-Reply-To: <87r4ms5wpm.fsf@xmission.com>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serge@hallyn.com> writes:
Note: I acked your patch before and still don't object to it.
> > In which case it would be
> >
> > child_user_ns1 [100000-199999]
> > child_user_ns2 [100000-199999]
> > child_user_ns3 [120000-129999]
> >
>
> Yes. You have to nest uids.
>
> >> > with unfortunate mappings - ns1 and ns2 should have had nonoverlapping
> >> > ranges, but in any case now uid 1000 in ns1 can exert privilege over
> >> > ns3. Again, uids comparisons will succeed for file access anyway, so
> >> > ns1 can 0wn ns2 and ns3 other ways.
> >>
> >> Yes yours is the more realistic scenario. Mine was simplified to be clear.
> >>
> >> > Heck I'm starting to think the bug is a feature - surely given the
> >> > mappings above I meant for ns1 and ns2 to bleed privilege to each
> >> > other?
> >>
> >> The serious problem is that privileges can bleed up. A user in
> >> ns3 can wind up owning ns2 or ns1. Which totally defeats the permission
> >> model. You have CAP_DAC_OVERRIDE so you don't even need access to files
> >> you own, etc, etc.
> >
> > Would that not require intervention from the init_user_ns? In my
> > example above (let's add that ns2 is owned by kuid.uid=1000 in
> > init_user_ns), root in child_user_ns2 cannot map kuid.val=0 or
> > kuid.val=1000 into ns3 because 0 and 1000 are not in the range
> > 100000-199999. So there is no uid in child_user_ns3 which is able
> > to spoof uid=0 in child_user_ns1.
>
> Right. It does require having the uid of the owner of ns1 or ns2 in
> ns3. So you have to explicitly allow it.
>
> What I don't see is any point in allowing something like that.
The point isn't specifically to allow that, but rather to not muddle the
kuids with the user namespace *.
If I clone two tasks in separate user namespace but give them the same
uid mappings, how should the uids between those namespaces be related?
The way you're doing it now they will equate for DAC checks but not
for privilege checks. It feels ad-hoc and flaky.
> A child user namespace having capabilities against processes in it's
> parent seems totally bizarre and pretty dangerous from a capabilities
> standpoint.
How would it have them against its parent?
> That said Serge I think I have lost track of the point of your question.
Look at it this way. You've introduced kuids which allow "uids" to be
disassociated from the user namespace * in kernel. You have the uid
mapping rules which enforce some sanity (requiring nesting).
If the parent ns has re-used an active uid of its own to give to a child
namespace, then any DAC-governed objects (files in particular) will be
owned by that uid in the child user ns. I'm not sure - does this also
apply to /proc/$$/fd/* access?
-serge
next prev parent reply other threads:[~2012-12-14 20:24 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-11 21:17 [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Eric W. Biederman
2012-12-13 19:24 ` Andy Lutomirski
2012-12-13 22:01 ` Eric W. Biederman
2012-12-13 22:39 ` [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps Eric W. Biederman
2012-12-13 22:43 ` Linus Torvalds
2012-12-13 22:55 ` Eric W. Biederman
2012-12-13 23:21 ` Andy Lutomirski
2012-12-14 2:33 ` Eric W. Biederman
2012-12-14 2:36 ` Andy Lutomirski
2012-12-14 3:20 ` [PATCH] " Eric W. Biederman
2012-12-14 3:28 ` [RFC][PATCH] " Serge E. Hallyn
2012-12-14 3:32 ` Eric W. Biederman
2012-12-14 15:26 ` Serge E. Hallyn
2012-12-14 15:47 ` Eric W. Biederman
2012-12-14 16:15 ` Serge E. Hallyn
2012-12-14 18:12 ` Eric W. Biederman
2012-12-14 18:43 ` Linus Torvalds
2012-12-14 18:47 ` Andy Lutomirski
2012-12-14 20:50 ` Serge E. Hallyn
2012-12-14 21:43 ` Eric W. Biederman
2012-12-14 20:29 ` Serge E. Hallyn [this message]
2012-12-14 22:32 ` Eric W. Biederman
2012-12-15 0:14 ` Serge E. Hallyn
2012-12-13 23:02 ` [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Andy Lutomirski
2012-12-14 4:11 ` Eric W. Biederman
2012-12-14 5:34 ` Andy Lutomirski
2012-12-14 17:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121214202921.GA11450@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).