lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 25 Apr 2013 09:48:00 +0200
From:	richard -rw- weinberger <richard.weinberger@...il.com>
To:	Michael Kerrisk-manpages <mtk.manpages@...il.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Rob Landley <rob@...dley.net>,
	linux-man <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	lkml <linux-kernel@...r.kernel.org>,
	Vasily Kulikov <segoon@...nwall.com>,
	Serge Hallyn <serge.hallyn@...ntu.com>, luto@...capital.net
Subject: Re: For review (v2): user_namespaces(7) man page

On Wed, Mar 27, 2013 at 10:26 PM, Michael Kerrisk (man-pages)
<mtk.manpages@...il.com> wrote:
>        Inside the user namespace, the shell has user and group  ID  0,
>        and a full set of permitted and effective capabilities:
>
>            bash$ cat /proc/$$/status | egrep '^[UG]id'
>            Uid: 0    0    0    0
>            Gid: 0    0    0    0
>            bash$ cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'
>            CapInh:   0000000000000000
>            CapPrm:   0000001fffffffff
>            CapEff:   0000001fffffffff

I've tried your demo program, but inside the new ns I'm automatically nobody.
As Eric said, setuid(0)/setgid(0) are missing.

Eric, maybe you can help me. How can I drop capabilities within a user
namespace?
In childFunc() I did add prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) but it always
returns ENOPERM.
What that? I thought I get a completely fresh set of cap which I can modify.
I don't want that uid 0 inside the container has all caps.

And why does /proc/*/loginuid always contain 4294967295 in a new user namespace?
Writing to it also fails. (Noticed that because pam_loginuid.so does not work).

Final question, is it by design that uid 0 within a namespace in not
allowed to write to
/proc/*/oom_score_adj?


Thanks,
//richard

P.s: I've used 3.9-rc8 for my tests...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists