lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 20 Feb 2024 21:07:16 -0500
From: Kent Overstreet <kent.overstreet@...ux.dev>
To: Matthew Wilcox <willy@...radead.org>
Cc: James Bottomley <James.Bottomley@...senpartnership.com>, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, lsf-pc@...ts.linux-foundation.org, 
	Christian Brauner <christian@...uner.io>, Stéphane Graber <stgraber@...raber.org>
Subject: Re: [LSF TOPIC] beyond uidmapping, & towards a better security model

On Wed, Feb 21, 2024 at 01:22:55AM +0000, Matthew Wilcox wrote:
> On Tue, Feb 20, 2024 at 07:25:58PM -0500, Kent Overstreet wrote:
> > But there's real advantages to getting rid of the string <-> integer
> > identifier mapping and plumbing strings all the way through:
> > 
> >  - creating a new sub-user can be done with nothing more than the new
> >    username version of setuid(); IOW, we can start a new named subuser
> >    for e.g. firefox without mucking with _any_ system state or tables
> > 
> >  - sharing filesystems between machines is always a pita because
> >    usernames might be the same but uids never are - let's kill that off,
> >    please
> 
> I feel like we need a bit of a survey of filesystems to see what is
> already supported and what are desirable properties.  Block filesystems
> are one thing, but network filesystems have been dealing with crap like
> this for decades.  I don't have a good handle on who supports what at
> this point.

I'm not sure it's critical. 9p supports it already. The big one is NFS,
but if this takes off getting it into the next version of NFS or as an
extension is going to be the easy part.

The critical part is going to be coming up with the new syscall
interface, and figuring out the compatibility shims so that the minimum
amount of userspace has to be modified to take advantage of it, and
figuring out what the compatibility code so that non username aware code
does something sensible.

But with filesystem support, so that we're persisting usernames and
those are the source of truth and old style UIDs are just ephermeral,
that part looks tractable.

I'm glad the container people are looking at this are already, and I
hope they're up for something even more ambitious :) I'd love to kill
off the problems with integer identifiers once and for all.

One of my professors way way back, who was a big influence on me, made
the point that the purpose of the operating system is to virtualize the
hardware, so that every program can pretend it has the whole machine to
itself. Hence things like virtual memory, and filesystems that let you
recursively divide your storage.

But that job isn't complete until the operating system lets you
recursively subdivide every resource it provides, physical or virtual:
hence containers and namespaces.

Hence - 64 bit identifiers aren't enough, if we're going to solve this
once and for all it's got to be a variable length path.

> As far as usernames being the same ... well, maybe.  I've been willy,
> mrw103, wilma (twice!), mawilc01 and probably a bunch of others I don't
> remember.  I don't think we'll ever get away from having a mapping
> between different naming authorities.

*nod* There will still be situations where remapping is needed, but name
<-> name mapping is way easier for users to deal with than integer <->
integer.

Also - I'd like to get some security model people involved with this, if
anyone knows the right people to loop in. That's the part that's the
most interesting to me (and what motivated me to post this the other day
was Al bitching about apparmor on IRC).

I think, in hindsight, that we grew a lot of this strange security model
stuff that doesn't at all fit with the Unix security model for the
simple reason that creating new permissions domains is just not
something you do on an as needed basis, as a normal user.

The next natural thing to do with permissions is to extend the
permissions model with rwx bits for
 - parent of current user
 - subusers of current user

..and probably various acl variants of these.

There's some interesting territory to be explored there for sure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ