| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 May 2024 10:34:16 -0700 From: Andy Lutomirski <luto@...nel.org> To: Aleksa Sarai <cyphar@...har.com> Cc: Stas Sergeev <stsp2@...dex.ru>, "Serge E. Hallyn" <serge@...lyn.com>, linux-kernel@...r.kernel.org, Stefan Metzmacher <metze@...ba.org>, Eric Biederman <ebiederm@...ssion.com>, Alexander Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, Jeff Layton <jlayton@...nel.org>, Chuck Lever <chuck.lever@...cle.com>, Alexander Aring <alex.aring@...il.com>, David Laight <David.Laight@...lab.com>, linux-fsdevel@...r.kernel.org, linux-api@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>, Christian Göttsche <cgzones@...glemail.com> Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() On Mon, May 6, 2024 at 10:29 AM Andy Lutomirski <luto@...capital.net> wrote: > > Replying to a couple emails at once... > > On Mon, May 6, 2024 at 12:14 AM Aleksa Sarai <cyphar@...har.com> wrote: > > I also find it somewhat amusing that this proposal is to basically give > > up on multi-user permissions for this one directory tree because it's > > too annoying to deal with. In that case, isn't chmod 777 a simpler > > solution? (I'm being a bit flippant, of course there is a difference, > > but the net result is that all users in the container would have the > > same permissions with all of the fun issues that implies.) > > > > In short, AFAICS idmapped mounts pretty much solve this problem (minus > > the ability to collapse users, which I suspect is not a good idea in > > general)? > > > > With my kernel hat on, maybe I agree. But with my *user* hat on, I > think I pretty strongly disagree. Look, idmapis lousy for > unprivileged use: > > $ install -m 0700 -d test_directory > $ echo 'hi there' >test_directory/file > $ podman run -it --rm > --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > # cat /tmp/file > hi there > > <-- Hey, look, this kind of works! > > # setpriv --reuid=1 ls /tmp > ls: cannot open directory '/tmp': Permission denied > > <-- Gee, thanks, Linux! I should add: this is lousy even for privileged use. On a normal non-containerized system: $ ls -ld /var/lib/mysql drwxr-xr-x. 3 mysql mysql 4096 Sep 20 2023 /var/lib/mysql This makes perfect sense. But if I want to run mysql in a container in a sane way, my only real choice is either to trust the container manager quite strongly (so it only maps this directory into the correct container) or, if I want to separate out management of this container into its own UID (which is a good practice), then I'm forced to do some kind of fragile hack like making a directory only accessible to the correct UID and then creating a 0777 directory inside it and bind-mounting *that*.
Powered by blists - more mailing lists