lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCETrV=9Rebc3NNyQD3bLee_EL_222-oww45JXUasK=mq3dgA@mail.gmail.com>
Date:	Mon, 29 Apr 2013 13:21:18 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	richard -rw- weinberger <richard.weinberger@...il.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Michael Kerrisk-manpages <mtk.manpages@...il.com>,
	Rob Landley <rob@...dley.net>,
	linux-man <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	lkml <linux-kernel@...r.kernel.org>,
	Vasily Kulikov <segoon@...nwall.com>,
	Serge Hallyn <serge.hallyn@...ntu.com>
Subject: Re: For review (v2): user_namespaces(7) man page

On Thu, Apr 25, 2013 at 10:48 PM, richard -rw- weinberger
<richard.weinberger@...il.com> wrote:
> On Fri, Apr 26, 2013 at 2:54 AM, Eric W. Biederman
> <ebiederm@...ssion.com> wrote:
>> richard -rw- weinberger <richard.weinberger@...il.com> writes:
>>
>>> On Wed, Mar 27, 2013 at 10:26 PM, Michael Kerrisk (man-pages)
>>> <mtk.manpages@...il.com> wrote:
>>>>        Inside the user namespace, the shell has user and group  ID  0,
>>>>        and a full set of permitted and effective capabilities:
>>>>
>>>>            bash$ cat /proc/$$/status | egrep '^[UG]id'
>>>>            Uid: 0    0    0    0
>>>>            Gid: 0    0    0    0
>>>>            bash$ cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'
>>>>            CapInh:   0000000000000000
>>>>            CapPrm:   0000001fffffffff
>>>>            CapEff:   0000001fffffffff
>>>
>>> I've tried your demo program, but inside the new ns I'm automatically nobody.
>>> As Eric said, setuid(0)/setgid(0) are missing.
>>
>> Is it the setuid/setgid or not setting up the uid/gid map?
>
> uid/git mapping are set up.
>
>>> Eric, maybe you can help me. How can I drop capabilities within a user
>>> namespace?
>>
>>> In childFunc() I did add prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) but it always
>>> returns ENOPERM.
>>> What that? I thought I get a completely fresh set of cap which I can modify.
>>> I don't want that uid 0 inside the container has all caps.
>>
>> There are weird things that happen with exec and the user namespace.  If
>> you have exec'd as an unmapped user all of your capabilities have
>> already been droped.
>
> I've setup the mappings. If I look into /proc/*/status I see that my process has
> all caps.
> So, in general it is possible to drop cap within a user namespace?
> I really want to drop CAP_NET_ADMIN and some others.
> root within my container must not change any networking settings.

You may have the common issue that uid 0 tends to regain capabilities
on exec due to "legacy" capability emulation.  Try playing with
securebits and/or the bounding set.  (The setpriv command in very new
util-linux-ng makes this easy to play with.)

Note that you almost certainly want to set no_new_privs if anything
other than uid 0 is running with non-default securebits.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ