| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Dec 2012 19:50:44 -0500 From: Neil Horman <nhorman@...driver.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: linux-kernel@...r.kernel.org, containers@...ts.linux-foundation.org, Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH v2] core_pattern: set core helpers root and namespace to crashing process On Fri, Dec 14, 2012 at 03:10:30PM -0800, Eric W. Biederman wrote: > Neil Horman <nhorman@...driver.com> writes: > > > As its currently implemented, redirection of core dumps to a pipe reader should > > be executed such that the reader runs in the namespace of the crashing process, > > and it currently does not. This is the only sane way to deal with namespaces > > properly it seems to me, and this patch implements that functionality. > > I actually rather strongly disagree. > > While we have a global core dump pattern core dumps to a a pipe reader > should be executed such that the reader runs in the namespace of the > process that set the pattern. We can easily restrict that to the > initial namespaces to make the implementation simpler. > > If you want to play namespace games you can implement all of those in > user space once my tree merges for v3.8. > > I am really not a fan of the trigger process being able to control the > environment of a privileged process. It makes writing the privileged > process much trickier. > Why? What specific problem do you see with allowing a privlidged process to execute within a specific namespace, that doesn't also exist with having the pipe reader execute in the init namespace? Note I'm not saying that a poorly constructed pipe reader application doesn't have security problems if it doesn't validate the environment that its running in, but thats something that the pipe reader needs to be sure about. Note also, that if the token in core_pattern is set such that the core_pattern is namespace/root relative, that container needs to install the application relative its root as well (e.g. positive action still needs to be taken on the part of the container admin to make this work). For example, if you set core_pattern="||/usr/bin/foo" Then a process running in a chroot based at /sub/root/ still needs to install a file /sub/root/usr/bin/foo, or the core dump will fail. So its not like a container can just have a core reader execute without first making an administrative decision to do so. Neil -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists