lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 20 Feb 2017 14:57:17 +0100
From:   Djalal Harouni <tixxdz@...il.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Aleksa Sarai <asarai@...e.de>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Alexey Dobriyan <adobriyan@...il.com>,
        linux-kernel <linux-kernel@...r.kernel.org>, cyphar@...har.com,
        dev@...ncontainers.org, Linux API <linux-api@...r.kernel.org>,
        Linux Containers <containers@...ts.linux-foundation.org>
Subject: Re: [PATCH] groups: don't return unmapped gids in getgroups(2)

On Thu, Feb 16, 2017 at 7:19 PM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
>
> Added a few more relevant mailing-lists to the CC list.
>
> Aleksa Sarai <asarai@...e.de> writes:
>
>> One thing overlooked by commit 9cc46516ddf4 ("userns: Add a knob to
>> disable setgroups on a per user namespace basis") is that because
>> setgroups(2) no longer works in user namespaces it doesn't make any
>> sense to be returning weird group IDs that the process cannot do
>> anything with.
>
> This code works the same weather or not setgroups is enabled.
>
>> This change, along with the other changes made to require unprivileged
>> users to always disable setgroups(2), means that userspace programs such
>> as apt break inside rootless containers. While this change does change
>> the userspace ABI, any userspace program that has to deal with
>> getgroups(2) would have to filter out these "fake" group IDs anyway.
>> This just makes it so that less applications will have to handle this
>> broken API.
>
> Is it broken?  Unless I am mistaken if we have a 16bit getgroups
> call and we 32bit group ids  getgroups it behaves exactly the same way.
>
> The value we is (u16)-2.  The traditional linux group id for this
> purpose.
>
> In all other contexts the best we can do for applications has been to
> return the user id or group id that says the value you are looking for
> does not fit in this context.  Which makes me suspect this is not the
> right solution for getgroups.
>
> I don't know why apt breaks.  You have not described that.  Perhaps apt
> is seeing something misconfigured and complaining properly.
>
> I can be persauded but I need a better argument than this change makes
> one applicaiton work for me.

We have already code that takes into account the returned overflowed
UID from inside, what we are also doing is from outside to let
services/containers run with dynamic unique UIDs between 0x0000EF00
and 0x0000FFEF which is a nice replacement feature for the "nobody"
mess from outside, but also it allows to map the dynamic same IDs to
themselves and everything else inside is "nobody".  So the code that
wants to check if the user is in real mapped GIDs has also to check
what /proc/sys/kernel/overflowgid means.

Thanks!


>
>
>> Fixes: 9cc46516ddf4 ("userns: Add a knob to disable setgroups on a per user namespace basis")
>> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
>> Cc: <dev@...ncontainers.org>
>> Signed-off-by: Aleksa Sarai <asarai@...e.de>
>> ---
>>  kernel/groups.c | 25 ++++++++++++++++++-------
>>  1 file changed, 18 insertions(+), 7 deletions(-)
>>
>> diff --git a/kernel/groups.c b/kernel/groups.c
>> index 8dd7a61b7115..ebd01fff37d6 100644
>> --- a/kernel/groups.c
>> +++ b/kernel/groups.c
>> @@ -41,16 +41,27 @@ static int groups_to_user(gid_t __user *grouplist,
>>                         const struct group_info *group_info)
>>  {
>>       struct user_namespace *user_ns = current_user_ns();
>> -     int i;
>> +     int i, j = 0;
>>       unsigned int count = group_info->ngroups;
>>
>>       for (i = 0; i < count; i++) {
>> +             kgid_t kgid = group_info->gid[i];
>>               gid_t gid;
>> -             gid = from_kgid_munged(user_ns, group_info->gid[i]);
>> -             if (put_user(gid, grouplist+i))
>> +
>> +             /*
>> +              * Don't return unmapped gids, since there's nothing userspace
>> +              * can do about them and they are very confusing -- since
>> +              * setgroups(2) is disabled in user namespaces.
>> +              */
>> +             if (!kgid_has_mapping(user_ns, kgid))
>> +                     continue;
>> +
>> +             gid = from_kgid(user_ns, kgid);
>> +             if (put_user(gid, grouplist+j))
>>                       return -EFAULT;
>> +             j++;
>>       }
>> -     return 0;
>> +     return j;
>>  }
>>
>>  /* fill a group_info from a user-space array - it must be allocated already */
>> @@ -177,10 +188,10 @@ SYSCALL_DEFINE2(getgroups, int, gidsetsize, gid_t __user *, grouplist)
>>                       i = -EINVAL;
>>                       goto out;
>>               }
>> -             if (groups_to_user(grouplist, cred->group_info)) {
>> -                     i = -EFAULT;
>> +
>> +             i = groups_to_user(grouplist, cred->group_info);
>> +             if (i < 0)
>>                       goto out;
>> -             }
>>       }
>>  out:
>>       return i;



-- 
tixxdz

Powered by blists - more mailing lists