lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1427808184.2117.122.camel@HansenPartnership.com>
Date:	Tue, 31 Mar 2015 16:23:04 +0300
From:	James Bottomley <James.Bottomley@...senPartnership.com>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Alexander Larsson <alexl@...hat.com>, gnome-os-list@...me.org,
	Linux Containers <containers@...ts.linux-foundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	mclasen@...hat.com, "Eric W. Biederman" <ebiederm@...ssion.com>,
	Linux FS Devel <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options

On Tue, 2015-03-31 at 06:12 -0700, Andy Lutomirski wrote:
> On Tue, Mar 31, 2015 at 6:07 AM, James Bottomley
> <James.Bottomley@...senpartnership.com> wrote:
> > On Tue, 2015-03-31 at 09:57 +0200, Alexander Larsson wrote:
> >> On fre, 2015-03-27 at 10:03 +0100, James Bottomley
> >> >
> >> > > On Fri, Feb 20, 2015 at 5:04 PM, Andy Lutomirski <luto@...capital.net> wrote:
> >> > > > It's currently impossible to mount devpts in a user namespace that
> >> > > > has no root user, since ptmx can't be created.
> >> >
> >> > This is where I stopped reading because it's not true ... because it is
> >> > possible, you just do it from the host as real root.
> >>
> >> The point is being able to set up a container as a user, not requiring
> >> the setup to be run as root at all. In my case container is a desktop
> >> application which will be started by the user, and will run as the user.
> >> There is no root involved in the call chain at all.
> >
> > I don't really like that use case:  Most container setups are under the
> > control of an orchestration system (like LXC, OpenVZ or even Docker).
> > You typically get the orchestration system to do the dangerous
> > operations (mount being one of the bigger dangers) because it has the
> > capacity to vet them.  I can see the value in allowing a user to set up
> > a container without an oversight system, but at the same time you're
> > increasing the security vulnerability of the system.  Security is often
> > a result of policy, so now this embeds policy into the kernel.  I
> > strongly feel we should define the list of things we expect an
> > unsupervised (as in with no orchestration system) container to do and
> > then revisit this once we've given it some thought.
> 
> Try thinking "sandbox", not "container".  The ability to create
> sandboxes without some root-installed orchestration is incredibly
> valuable.

A container is anything that uses the various container APIs (mostly
cgroups and namespaces), so the set of possible containers overlaps the
set of possible sandboxes.

> In any event, this ship sailed quite awhile ago.  devpts is one of the
> smallish number of important missing features.

I'm not saying "don't do it" I'm saying think carefully about the
allowable features we permit an unprivileged user to take advantage of.
This one feels strange to me in that you're asking to give an
unprivileged user in a container more abilities than an unprivileged
user outside a container (a non-root user can't mount /dev/ptmx today).
This would mean that every unprivileged container user can now interfere
with the tty subsystem.

James


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ