[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090416153513.GA7876@x200.localdomain>
Date: Thu, 16 Apr 2009 19:35:13 +0400
From: Alexey Dobriyan <adobriyan@...il.com>
To: "Serge E. Hallyn" <serue@...ibm.com>
Cc: Oren Laadan <orenl@...columbia.edu>,
Dave Hansen <dave@...ux.vnet.ibm.com>, xemul@...allels.com,
containers@...ts.linux-foundation.org, mingo@...e.hu,
linux-kernel@...r.kernel.org, hch@...radead.org,
akpm@...ux-foundation.org, torvalds@...ux-foundation.org
Subject: Re: CAP_SYS_ADMIN on restart(2)
On Wed, Apr 15, 2009 at 04:16:09PM -0500, Serge E. Hallyn wrote:
> Quoting Oren Laadan (orenl@...columbia.edu):
> >
> >
> > Serge E. Hallyn wrote:
> > > Quoting Dave Hansen (dave@...ux.vnet.ibm.com):
> > >> On Wed, 2009-04-15 at 23:21 +0400, Alexey Dobriyan wrote:
> > >>> Is sysctl to control CAP_SYS_ADMIN on restart(2) OK?
> > >> If the point is not to let users even *try* restarting things if it
> > >> *might* not work, then I guess this might be reasonable.
> > >>
> > >> If the goal is to increase security by always requiring CAP_SYS_ADMIN
> > >> for "dangerous" operations, I fear it will be harmful. We may have
> > >> people adding features that are not considering the security impact of
> > >> what they're doing just because the cases they care about all require
> > >> privilege.
> > >
> > > Nah, I disagree. (Or put another way, that wouldn't be the goal)
> > > There are two administrators we want to satisfy:
> > >
> > > 1. the one who wants his users to do partial checkpoints, but doesn't
> > > want to risk giving away any privilege at all in the process. He'll
> > > be satisified by setting restart(2) to not require cap_sys_admin,
> > > and his users just won't be able to do a whole container. A lot of
> > > users will be happy with that (though no SYSVIPC support, then).
> >
> > There is also a middle way: use setuid program to allow creation
> > of a new namespace (under your favorite policy), then drop the
> > privileges and continue as unprivileged inside that container.
> >
> > IOW, don't make the initial container-creation a barrier for the
> > entire operation.
>
> That is still possible here. But I don't think it's relevant.
>
> What Alexey wants, I believe, is for users to be able to not have
> to worry about there being exploitable bugs in restart(2) which
> unprivileged users can play with. And for the usual distro-kernel
> reasons, saying use 'CONFIG_CHECKPOINT=n' is not an option.
This is correct, yes. If I would be a sysadmin who knows a bit about
kernel internals, I'd never trust restart(2) to get it right.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists