From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: David Howells <dhowells@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Ian Kent <ikent@redhat.com>,
Kernel Mailing List <linux-kernel@vger.kernel.org>,
Stanislav Kinsbursky <skinsbursky@parallels.com>,
Trond Myklebust <trond.myklebust@primarydata.com>,
Benjamin Coddington <bcodding@redhat.com>,
Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: [RFC PATCH 3/4] kmod - add call_usermodehelper_ns() helper
Date: Wed, 26 Nov 2014 17:57:20 -0500 [thread overview]
Message-ID: <20141126225720.GA28428@fieldses.org> (raw)
In-Reply-To: <87k32i0zyc.fsf@x220.int.ebiederm.org>
On Wed, Nov 26, 2014 at 09:00:11AM -0600, Eric W. Biederman wrote:
> David Howells <dhowells@redhat.com> writes:
>
> > Eric W. Biederman <ebiederm@xmission.com> wrote:
> >
> >> Ian if we were to merge this I believe you would win the award for
> >> easiest path to a root shell.
> >
> > Is there any particular reason the upcalled program has to be run as root?
> > Could the kernel not run it as something else - perhaps the caller's UID,GID
> > or even something anonymous?
> >
> > Also, call_sbin_request_key() could be given a parameter to call something
> > other than /sbin/request-key, and key_type::request_key could be used.
>
> Fundamentally the upcall needs to happen with enough privileges to do
> the job, and that means running in practice running as root in the
> appropriate context. If we didn't need to gain privileges we wouldn't
> need an upcall.
>
> In the code I was critisizing struct cred was not being changed because
> of what I believe was an ignorance of what task->nsproxy was about and
> is for.
>
> It is straight forward to save off a for a kernel thread from the
> process calling mount and make it responsible for the upcall and use
> that as the parent for all of the containerized upcalls, and we could
> easily run with that threads permissions.
>
> We can't use the context of the triggering user but we instead need to
> use the context of the mounter of the filesystem. As otherwise the
> triggering user can control what is /sbin/request-key and cause problems
> that way.
That makes sense to me. There are three cases I think we care about:
- client idmapper upcall: translates between on-the-wire
"user@domain" names and local uid's/gid's. The results may be
cached and used by other users, and you certainly don't want
the user who happened to trigger the upcall by doing a "ls" to
poison the cache with weird values.
- server-side state recovery call: used to record some
information about which clients hold active state. There's no
"mount" on the server side, but "root in the appropriate
context" still sounds right--we probably want to save the
context of whoever started the server. One extra thread per
server would certainly be no big deal, so if that's how we
need to save the context, fine.
- client request-key call: this isn't actually implemented yet
and I don't feel like I understand it.
--b.
next prev parent reply other threads:[~2014-11-26 22:57 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 1:07 [RFC PATCH 0/4] Namespace contrained helper execution Ian Kent
2014-11-25 1:07 ` [RFC PATCH 1/4] vfs - fs/namespaces.c: break out mntns_setfs() from mntns_install() Ian Kent
2014-11-25 1:07 ` [RFC PATCH 2/4] nsproxy - make create_new_namespaces() non-static Ian Kent
2014-11-25 1:07 ` [RFC PATCH 3/4] kmod - add call_usermodehelper_ns() helper Ian Kent
2014-11-25 21:52 ` Oleg Nesterov
2014-11-25 22:06 ` Oleg Nesterov
2014-11-25 22:23 ` Eric W. Biederman
2014-11-25 23:07 ` Ian Kent
2014-11-25 23:19 ` Eric W. Biederman
2014-11-25 23:50 ` Ian Kent
2014-11-26 0:44 ` Ian Kent
2014-11-26 1:38 ` Eric W. Biederman
2014-12-01 21:56 ` Benjamin Coddington
2014-12-02 23:33 ` Ian Kent
2014-12-03 16:49 ` Eric W. Biederman
2014-12-03 18:14 ` Benjamin Coddington
2014-12-03 22:53 ` Ian Kent
2014-12-03 23:34 ` Ian Kent
2014-11-26 11:46 ` David Howells
2014-11-26 15:00 ` Eric W. Biederman
2014-11-26 22:57 ` J. Bruce Fields [this message]
2014-11-25 23:14 ` Ian Kent
2014-11-25 22:36 ` Ian Kent
2014-11-25 23:27 ` Eric W. Biederman
2014-11-28 0:19 ` Ian Kent
2014-11-27 1:30 ` Oleg Nesterov
2014-11-25 1:07 ` [RFC PATCH 4/4] KEYS: exec request-key within the requesting task's namespace Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141126225720.GA28428@fieldses.org \
--to=bfields@fieldses.org \
--cc=bcodding@redhat.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=ikent@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=skinsbursky@parallels.com \
--cc=trond.myklebust@primarydata.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox