Complexity [LWN.net]

Complexity

Posted Mar 25, 2013 10:17 UTC (Mon) by dlang (guest, #313)
In reply to: Complexity by talex
Parent article: Anatomy of a user namespaces vulnerability

why should you be able to install new software on the system without the permission of the admin of that system?

if 0install needs to run tar as root to install it's applications, and you don't want to trust tar as root, then you shouldn't trust it. untar the files as the user and then change their permissions afterwords.

And if you think that users should be able to change the ownership of files to be other users without requiring some sort of privilege, you just don't understand the concepts.

Namespaces makes it possible to escape from a chroot, because they let the user become root inside a changeroot.

But namespaces are intended to replace chroot, so you would not be likely to use chroot and namespaces together.

now, once distros start enabling all these namespaces by default, they end up weakening the security of anything that's using chroot, but if a distro is doing that, the distro should be changing the programs to be locked down via namespaces limitations instead

nobody should be using Fedora in production, it's bleeding edge, and exposing this sort of security problem where namespaces interact badly with each other and with other features is exactly the sort of bleeding that such a distro produces.

to post comments

Complexity

Posted Mar 25, 2013 11:00 UTC (Mon) by talex (guest, #19139) [Link]

> why should you be able to install new software on the system without the permission of the admin of that system?

That's just the way Linux works. Any user can cause executable files to be written to their home directory, and can then run them. But, like most people, I am the admin of my computer, so I don't need to ask anyone's permission to install software.

> if 0install needs to run tar as root to install it's applications, and you don't want to trust tar as root, then you shouldn't trust it. untar the files as the user and then change their permissions afterwords.

0install doesn't run tar as root. It runs it as my normal user. But that's still more privileges that I'd like to give it.

For example, let's say I'm installing OpenTTD. Currently, 0install downloads the archive as my user (talex), unpacks it, verifies it, and runs it. OpenTTD does not gain root privileges on my system, but it does run with my user privileges. I'd like to restrict it further so that, for example, it can't read or write to my home directory (or anywhere except it's own data directory).

> But namespaces are intended to replace chroot, so you would not be likely to use chroot and namespaces together.

So, what is the replacement for chroot in the new namespaces world then? Should I unmount all existing filesystems and mount something new over the real root? I'm not sure how to do that.

Complexity

Posted Mar 25, 2013 18:46 UTC (Mon) by luto (subscriber, #39314) [Link]

Chrooting to an empty, unwritable directory, closing fds and dropping privileges denies useful filesystem access. A kernel that suddenly changes that is not okay and should be fixed. (And that's one of the bugs I found. Guess I might as well make the whole thing public.)