| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Apr 2013 13:21:18 -0700 From: Andy Lutomirski <luto@...capital.net> To: richard -rw- weinberger <richard.weinberger@...il.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Michael Kerrisk-manpages <mtk.manpages@...il.com>, Rob Landley <rob@...dley.net>, linux-man <linux-man@...r.kernel.org>, Linux Containers <containers@...ts.linux-foundation.org>, lkml <linux-kernel@...r.kernel.org>, Vasily Kulikov <segoon@...nwall.com>, Serge Hallyn <serge.hallyn@...ntu.com> Subject: Re: For review (v2): user_namespaces(7) man page On Thu, Apr 25, 2013 at 10:48 PM, richard -rw- weinberger <richard.weinberger@...il.com> wrote: > On Fri, Apr 26, 2013 at 2:54 AM, Eric W. Biederman > <ebiederm@...ssion.com> wrote: >> richard -rw- weinberger <richard.weinberger@...il.com> writes: >> >>> On Wed, Mar 27, 2013 at 10:26 PM, Michael Kerrisk (man-pages) >>> <mtk.manpages@...il.com> wrote: >>>> Inside the user namespace, the shell has user and group ID 0, >>>> and a full set of permitted and effective capabilities: >>>> >>>> bash$ cat /proc/$$/status | egrep '^[UG]id' >>>> Uid: 0 0 0 0 >>>> Gid: 0 0 0 0 >>>> bash$ cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)' >>>> CapInh: 0000000000000000 >>>> CapPrm: 0000001fffffffff >>>> CapEff: 0000001fffffffff >>> >>> I've tried your demo program, but inside the new ns I'm automatically nobody. >>> As Eric said, setuid(0)/setgid(0) are missing. >> >> Is it the setuid/setgid or not setting up the uid/gid map? > > uid/git mapping are set up. > >>> Eric, maybe you can help me. How can I drop capabilities within a user >>> namespace? >> >>> In childFunc() I did add prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) but it always >>> returns ENOPERM. >>> What that? I thought I get a completely fresh set of cap which I can modify. >>> I don't want that uid 0 inside the container has all caps. >> >> There are weird things that happen with exec and the user namespace. If >> you have exec'd as an unmapped user all of your capabilities have >> already been droped. > > I've setup the mappings. If I look into /proc/*/status I see that my process has > all caps. > So, in general it is possible to drop cap within a user namespace? > I really want to drop CAP_NET_ADMIN and some others. > root within my container must not change any networking settings. You may have the common issue that uid 0 tends to regain capabilities on exec due to "legacy" capability emulation. Try playing with securebits and/or the bounding set. (The setpriv command in very new util-linux-ng makes this easy to play with.) Note that you almost certainly want to set no_new_privs if anything other than uid 0 is running with non-default securebits. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists