Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: >> This change should break userspace by the minimal amount needed >> to fix this issue. >> >> This should fix CVE-2014-8989. > > I think this is both unnecessarily restrictive and that it doesn't fix > the bug. You are going to have to work very hard to convince me this is unnecessarily restrictive. >For example, I can exploit CVE-2014-8989 without ever > writing a uid map or a gid map. Yes. I realized just after I sent the patch that setgroups(0, NULL) would still work without a mapping set. That is a first glass grade a oversight that resulted in a bug. None of the other uid or gid changing syscalls without a mapping set, and setgroups was just overlooked because it was different. Oops. I will send an updated patch that stops setgroups from working without a mapping set shortly. > IIUC, the only real issue is that user namespaces allow groups to be > dropped using setgroups that wouldn't otherwise be dropped. Can we > get away with adding a per-user-ns flag that determines whether > setgroups can be used? Being able to call setgroups is fundamental to login programs, and login programs are one of the things user namespaces need to support. So adding an extra flag and an extra place where privilege is required is just noise, and will wind up breaking every user of user namespaces. Further being able to setup uid and gid mappings without privilege is primarily a nice to have. The original design did not have unprivileged setting of uid and gid maps and if it proves insecure I goofed and the feature isn't safe so it needs to be removed. This does mean that running a system with negative groups and users delegated subordinate gids in /etc/subuid is a bad idea and system administrators shouldn't do that as those negative groups won't prove effective in stopping their users. But this is all under system administrator control so shrug. There isn't a way to avoid that fundamental conflict. > setgroups would be unusable until the gid_map has been written and > then it would become usable if and only if the parent userns could use > setgroups and the opener of gid_map was privileged. That proposal sounds a lot more restrictive and a lot more of a pain to use than what I have implemented in my patch. > If we wanted to allow finer-grained control, we could allow writing > control lines like: > > options +setgroups > > or > > options -setgroups > > in gid_map, or we could add user_ns_flags that can only be written > once and only before either uid_map or gid_map is written. Definitely more complicated and I can't imagine a case where I need a gid map without needing to call setgroups. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
