The kdbuswreck
The kdbuswreck
Posted Apr 22, 2015 21:24 UTC (Wed) by mezcalero (subscriber, #45103)Parent article: The kdbuswreck
- "... the requested action will only be carried out if the requester has CAP_SYS_TIME, CAP_NET_ADMIN, or CAP_SYS_BOOT, respectively." -- this is simply incorrect. Nobody suggested something this. Having these caps should be *sufficient* to trigger the operations, but not *mandatory*. That's quite a difference.
- "... starting with the fact that capabilities are meant to be interpreted by the kernel, not by user space" -- that's hardly a "fact", that's merely an opinion.
- The part about "... Lennart Poettering doesn't see this limitation as a problem because user namespaces are not (yet) heavily used..." is pretty bogus, I never said that. Yes, I don't see that as limitation, but certainly not because userns weren't used, but simply because it is simply the right thing that processes of a different user namespace should not have rights in any other.
- "... feel that a process should explicitly indicate that it intends to perform an action requiring a specific capability before any such information should be sent..." -- this in fact has been implemented already after the first review round of the patches. And this has been mentioned in the various threads many times. Attaching creds is opt-in from both sides: the sender and the receiver of a message. Only if *both* sides allow/want the data it is actually attached.
- "Lennart .., is not thrilled with the suggestion that kdbus should support a user-space privilege mechanism" makes no sense. I never said anything like that, and systemd already supports a userspace authorization framework just fine, and uses it for most of its bus calls. That's what PolicyKit is.
Also, I don't think calling kdbus a "wreck" is appropriate at all.
Posted Apr 22, 2015 21:46 UTC (Wed)
by corbet (editor, #1)
[Link] (17 responses)
Well, then, I'm genuinely confused. If you don't need the capability, why bother checking for it? If you're saying you're doing some other check (user running on the desktop, say), well, I didn't quite catch that. But I said "if", not "iff", so I can claim to have gotten it right :)
Fine, it's an opinion, could have been expressed better. Obviously not everybody feels that way.
The message from you linked in the article starts with you saying "I have seen no use of userns for sandboxing normal daemons so far. I
have seen tons of daemons using caps for such sandboxing." Obviously you think that should have been interpreted some other way?
As you know, the "optional" nature of this is currently not universally believed. See the message from Andy linked at the point you stopped quoting.
Well, I quoted what you said. In retrospect it would have been better if I'd said "implement a new" instead of "support". They were suggesting you make something new and independent of capabilities, you clearly didn't like that idea — not entirely unreasonably, IMO.
...and I never did that. The title refers to the discussion, not the technology. If you think I see kdbus that way maybe you should reread what I've written, I don't think it was that unclear.
If you think the article was an unfair description of the disagreement I am genuinely sorry. I put a lot of time into trying to let all points of view shine through — it was not easy! And honestly, I don't think think it was that far off...
Posted Apr 22, 2015 22:12 UTC (Wed)
by mezcalero (subscriber, #45103)
[Link] (15 responses)
"Well, then, I'm genuinely confused. If you don't need the capability, why bother checking for it? If you're saying you're doing some other check (user running on the desktop, say), well, I didn't quite catch that. But I said "if", not "iff", so I can claim to have gotten it right :) "
Well, there are multiple ways how things can be authorized. Here's an example: logind will allow you to kill all processes belonging to a specific user session either if you have CAP_SYS_KILL, or if your user id matches the session's user. Neither of these security checks is mandatory individually, but having one of them is sufficient. That's the exact same way the kernel makes it's permission checks on CAP_SYS_KILL. This isn't an algorithm we invented, that's *HOW THESE THINGS WORK*!
And no, you can *not* claim you got this right, you did not. You wrote "only".
Reply to your third reply:
"The message from you linked in the article starts with you saying "I have seen no use of userns for sandboxing normal daemons so far. I have seen tons of daemons using caps for such sandboxing." Obviously you think that should have been interpreted some other way?
The issue I have is that you connected "Lennart Poettering doesn't see this limitation as a problem" and "user namespaces are not (yet) heavily used" with that little word "because". I said both of these things, but I never said that one was because of the other. That's something you incorrectly made up.
Reply to your fourth reply:
"As you know, the "optional" nature of this is currently not universally believed. See the message from Andy linked at the point you stopped quoting."
Oh well, if you don't believe what the kdbus folks say, how about actually *checking* the kdbus code? It's all open, for review. Also why would you assume that the kdbus developers are dishonest about this?
Reply to your fifth reply:
"Well, I quoted what you said. In retrospect it would have been better if I'd said "implement a new" instead of "support". They were suggesting you make something new and independent of capabilities, you clearly didn't like that idea — not entirely unreasonably, IMO."
There are two things you changed from what I said. In the mail you linked I said "...comprehensive new access control systems that can be used for in-kernel and in-userspace subsystems". First as you noticed by now, I said "new". Secondly, I said "comprehensive ... access control system ... for in-kernel and in-userspace subsystems", the emphasis being on *both* in-kernel and in-userspace here: caps can be that. PK cannot, it is userspace-only, and will never make sense in the kernel and it shouldn't have to.
Reply to your sixth reply:
You called this "kdbuswreck", not "kdbus discussion wreck" or similar. You know exactly how this works: people read the title and skip over the text, and "kdbus" and "wreck" is all that'll be stuck.
Anyway, please be more careful next time.
Posted Apr 22, 2015 22:24 UTC (Wed)
by corbet (editor, #1)
[Link] (5 responses)
Oh come on, now you are just looking for trouble. Who said anything about dishonesty?
He's not calling anybody dishonest either. He's saying the optionality at one level of the code is unlikely to make it through to real-world use. I believe you knew this.
With regard to the title...perhaps it was a bad choice, but "buswreck" (or "trainwreck") is a fairly common English term for an unfortunate situation. I still believe that you have to stretch pretty hard to say that "The kdbuswreck" (note "the") somehow refers to the code. And I'm somewhat amused by your statement that people read only my titles and not the actual text...
Posted Apr 22, 2015 22:31 UTC (Wed)
by branden (guest, #7029)
[Link] (2 responses)
Posted Apr 22, 2015 22:56 UTC (Wed)
by mezcalero (subscriber, #45103)
[Link]
Posted Apr 23, 2015 8:22 UTC (Thu)
by edomaur (subscriber, #14520)
[Link]
Posted Apr 22, 2015 22:37 UTC (Wed)
by corbet (editor, #1)
[Link] (8 responses)
Posted Apr 22, 2015 22:51 UTC (Wed)
by mezcalero (subscriber, #45103)
[Link]
Posted Apr 23, 2015 1:57 UTC (Thu)
by JdGordy (subscriber, #70103)
[Link] (2 responses)
Posted Apr 23, 2015 2:03 UTC (Thu)
by corbet (editor, #1)
[Link] (1 responses)
Posted Apr 25, 2015 16:13 UTC (Sat)
by Trelane (subscriber, #56877)
[Link]
Your policy is fantastic. Thank you for it.
Posted Apr 23, 2015 8:06 UTC (Thu)
by speedster1 (guest, #8143)
[Link] (3 responses)
Posted Apr 23, 2015 9:22 UTC (Thu)
by rvfh (guest, #31018)
[Link] (2 responses)
I have read so much bullsh*t on 'respected' newspaper sites where even commenting is useless because so many people need to send stupid comments without thinking for just one second, that seeing Jon listening, explaining and even fixing his already excellent article is like a breath of fresh air.
I really like LWN.
Posted Apr 23, 2015 20:40 UTC (Thu)
by a9db0 (subscriber, #2181)
[Link] (1 responses)
Thank you, Jon, first for continuing to address thorny issues and make sense of them, and second for being responsive to your readers.
Dave
Posted Apr 25, 2015 12:19 UTC (Sat)
by louai (guest, #58033)
[Link]
LWN is awesome. Thank you very much indeed for all the hard work!
For what it's worth, I think the article is balanced and very informative.
Louai
Posted Apr 22, 2015 22:13 UTC (Wed)
by jjmarin (subscriber, #53201)
[Link]
Sigh. This always seems so hard.
The kdbuswreck
"... the requested action will only be carried out if the requester has CAP_SYS_TIME, CAP_NET_ADMIN, or CAP_SYS_BOOT, respectively." -- this is simply incorrect. Nobody suggested something this. Having these caps should be *sufficient* to trigger the operations, but not *mandatory*. That's quite a difference.
"... starting with the fact that capabilities are meant to be interpreted by the kernel, not by user space" -- that's hardly a "fact", that's merely an opinion.
The part about "... Lennart Poettering doesn't see this limitation as a problem because user namespaces are not (yet) heavily used..." is pretty bogus, I never said that
"... feel that a process should explicitly indicate that it intends to perform an action requiring a specific capability before any such information should be sent..." -- this in fact has been implemented already after the first review round of the patches. And this has been mentioned in the various threads many times. Attaching creds is opt-in from both sides: the sender and the receiver of a message. Only if *both* sides allow/want the data it is actually attached.
"Lennart .., is not thrilled with the suggestion that kdbus should support a user-space privilege mechanism" makes no sense. I never said anything like that
Also, I don't think calling kdbus a "wreck" is appropriate at all.
The kdbuswreck
The kdbuswreck
Oh well, if you don't believe what the kdbus folks say, how about actually *checking* the kdbus code? It's all open, for review. Also why would you assume that the kdbus developers are dishonest about this?
But I don't believe that for a second. AFAICS sd-bus (maybe the
primary implementation) will always set that flag if for no other
reason than that it *doesn't know* when the client is trying to assert
a capability. So we'd be giving users a gun which is, in practice,
only ever pointed at the users' feet.
The kdbuswreck
The kdbuswreck
The kdbuswreck
Just for the record, I have made a few tweaks to the article in response to these complaints.
The kdbuswreck
The kdbuswreck
The kdbuswreck
Our policy is to not make silent changes to published articles for anything other than trivial typo fixes; an article shouldn't quietly mutate after it has been put out there. So the old stuff remains, even though I'd be happy to see it go. I did stick in a note up front noting that corrections have been made, though.
Corrections
Corrections
The kdbuswreck
LWN rocks!
LWN rocks!
LWN rocks!
The kdbuswreck