Re: Suggestion/Discussion for mount_namespaces(7)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[Dropping Eric into CC, in case he has time to comment.]

Hi Tycho,

On Wed, 31 Oct 2018 at 20:18, Tycho Kirchner <tychokirchner@xxxxxxx> wrote:
>
> Am 31.10.18 um 08:48 schrieb Michael Kerrisk (man-pages):
> > Hello Tycho,
> >
> > On Thu, 25 Oct 2018 at 14:51, Tycho Kirchner <tychokirchner@xxxxxxx> wrote:
> >>
> >> Update the mount_namespaces(7) with a mention that unsharing the
> >> mountspace require the CAP_SYS_ADMIN-capability.
> >
> > But this is already fairly clearly stated in the unshare(2) page (and
> > is also mentioned in namespaces(7)). It seems to me unnecessary to
> > repeat the info in mount_namespaces(7), but then I do not read this
> > page as a new user. Tell me, did you miss the info in unshare(2), or
> > do you feel that nevertheless the info should be repeated?
> >
> >> If possible, please
> >> also add a justification because I know of several people who would like
> >> to understand that.
> >
> > I've tried to capture this by adding a few words to the namespaces(7) page;
> >
> >         Creation of new namespaces using clone(2) and unshare(2)  in  most
> >         cases  requires  the CAP_SYS_ADMIN capability, **since, in the new
> >         namespace, the creator  will  have  the  power  to  change  global
> >         resources  that  are  visible  to  other processes that are subse‐
> >         quently created in, or join the namespace**.
> >
> >> (In fact I'm about to write a setuid-program which allows unsharing the
> >> mountspace for everyone and was wondering, if that is insecure in any
> >> way? What is the rationale behind disallowing unsharing the mountspace
> >> for regular users? Note that I know that doing so is possible by also
> >> unsharing the usernamespace, but this introduces other limitations [e.g.
> >> setuid-programs cannot be called from there]).
> >
> > A while back, I added some text to the capabilities(7) manual page
> > (http://man7.org/linux/man-pages/man7/capabilities.7.html) that may
> > help you better understand what's going on here. See the subsections
> > "File capability mask versioning" and "Namespaced file capabilities".
> >
> >> Thank you very much, also for the valuable work you have done so far.
> >
> > You're welcome. Unfortunately, my available time is quite limited these days...
> >
> > Cheers,
> >
> > Michael
> >
>
> Hello Michael,
> thanks for your answer.
> Repeating that unsharing the mount namespace requires CAP_SYS_ADMIN
> within mount_namespaces(7) makes sense with regard to an explanation,
> *why* in particular unsharing the mount-namespace needs this capability.
>
> >        Creation of new namespaces using clone(2) and unshare(2)  in  most
> >        cases  requires  the CAP_SYS_ADMIN capability, **since, in the new
> >        namespace, the creator  will  have  the  power  to  change  global
> >        resources  that  are  visible  to  other processes that are subse‐
> >        quently created in, or join the namespace**
>
> I don't think this is true with reference to mount namespaces. Imagine
> it was allowed to *merely* unshare the mount namespace for a regular
> user *without* unsharing the user namespace . As I understand it, the
> security relevant bits (e.g. mount propagation into the parent
> mountspace) *only* apply if a respective mount is actually performed.
> However, this is not possible, since the user does *not* have the power
> to do so.

Yes, but that's the point isn't it? If you could unshare a mount
namespace as an unprivileged user, you still wouldn't be able to
create mount points, so it wouldn't be very useful. But, see my
furtehr comments below.

> > A while back, I added some text to the capabilities(7) manual page
> > (http://man7.org/linux/man-pages/man7/capabilities.7.html) that may
> > help you better understand what's going on here. See the subsections
> > "File capability mask versioning" and "Namespaced file capabilities".
>
> These subsections seem to refer to user namespaces - could you please
> elaborate how mount-namespaces are concerned?

Sorry -- I meant to point you to that text with regard to your
comments about how set-UID programs work in user namespaces. It was
not relevant to mount namespaces.

> It seems to me that unsharing the mountspace is a safe thing and the
> dangerous stuff begins when actually creating the mount-points, which
> however is *not* possible without root-privileges/setuid-programs.
> Maybe the implementers of the unshare syscall had too much the
> mount-operations in mind and thought it would not make sense to allow
> anyone creating a new mount namespace because for performing a mount
> root-privileges were required anyway?
>
> Do you share my thoughts?

Okay -- maybe I see your point now. To summarize:

1. Set-UID-root programs can make mount points (because they have the
CAP_SYS_ADMIN capability).
2. Imagine an alternative world where an unprivileged user could
unshare the mount NS.
3. In that alternative world, the user would not be able to create
mount points, unless they ran a suitable set-UID-root program that
allowed them to do so (or switched to root using sudo) . (And that
same program could be used in any case by the unprivileged user from
the *initial* mount NS.)

I suspect that the reason this scenario isn't allowed is:
1) It's an unlikely use case. I mean, in step 3 you'll need to be
running some privileged program anyway, so why not just require
privilege to create the new mount namespace?
2) As kernel developers, let's be conservative and allow only the use
cases we know are useful and we believe are safe.

But, that's just my estimation.

Regarding your intent to create a set-UID-root program that allows any
user to unshare the mount NS, I'm not sure of the security
implications, but I would feel a little nervous about this. Note also
that there is work in progress to allow mounts if filesystems by
unprivileged users in an unshared user+mount namespace set-up.

Thanks,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/




[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux