lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 05 Nov 2012 13:13:55 -0800
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Aristeu Rozanski <aris@...hat.com>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Linux Containers <containers@...ts.linux-foundation.org>
Subject: Re: [PATCH] coredump: run the coredump helper using the same namespace as the dead process

Aristeu Rozanski <aris@...hat.com> writes:

> On Mon, Nov 05, 2012 at 11:34:26AM -0800, Eric W. Biederman wrote:
>> I would argue that you very much need to define what it means to have a
>> per container core dump at the same time as you argue this.
>> 
>> Nacked-by: "Eric W. Biederman" <ebiederm@...ssion.com>
>> 
>> Running in a namespace different than whoever set the core dump
>> pattern/helper makes core dump helpers much more attackable.  With this
>> patch and a little creativity I expect I can get root to write to
>> whatever file I would like.  Since I also control the content of what is
>> going into that file.... This design seems emintely exploitable.
>
> Understood. Indeed this is bad design. Having it tied to the mount
> namespace of the process setting the pattern/helper, therefore any
> process crashing under the same mount namespace would use the same
> pattern/helper? 

Other than knowing we need an intuitive and predictable set of
namespaces that will be for the core dumping application I don't
know what the proper design is at this time.

>> Furthermore not all namespaces are pointed at by nsproxy, so even
>> for it's original design this patch is buggy.
>
> is it userns? I just assumed it wasn't there yet because it's being
> worked on.

userns is certainly one case.  The user namespace has no reason to
appear in nsproxy and plenty of good reasons connected with not
duplicating data for not appearing in nsproxy.

>> I do think supporting a per container coredump setting makes a lot of
>> sense but I do not think this patch is the way to do it.
>
> I understand, thanks for the time reviewing it.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ