The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 21:37 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: The long road to a fix for CVE-2021-20316 by jra
Parent article: The long road to a fix for CVE-2021-20316

The heart of the issue are processes working at different permission levels and sharing the same namespace. This simply can't be made secure.

Future OSes should reject the ACL and permission nonsense and instead move to true container-like isolation.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 22:13 UTC (Thu) by jra (subscriber, #55261) [Link] (3 responses)

Again, I fully agree with you about that. There's a project being lead by Red Hat to help containerize Sba which I'm hoping will bear fruit soon.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 22:14 UTC (Thu) by jra (subscriber, #55261) [Link] (1 responses)

Damn phone keyboard. For Sba read Samba of course.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 23:52 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

LOL.

I actually Googled "Sba RedHat" and just was going to ask what it is.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:59 UTC (Fri) by phlogistonjohn (subscriber, #81085) [Link]

For the curious, I believe the projects Jeremy is referring to are our efforts here:
https://github.com/samba-in-kubernetes/samba-container/
and the related projects in our org https://github.com/samba-in-kubernetes/

Note that despite the name "kubernetes" in the org, the container images are designed not to be k8s
specific. I'd love to see other uses of the container images for docker/docker-compose, podman, etc. The name was partly chosen because we do have other k8s specific integration plans... and we could abbreviate it as "SINK" ;-)
Thank you for the opportunity for a bit of free advertising.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 10:10 UTC (Fri) by taladar (subscriber, #68407) [Link] (3 responses)

Containers wouldn't really help you with servers like Samba that need to allow for different permissions for different remote users. Nor would they help for permission changes over time. In fact I would go so far as to say containers wouldn't help you with this sort of issue at all.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 13:30 UTC (Fri) by joib (subscriber, #8541) [Link] (2 responses)

Just putting samba, as is, into a docker/podman/whatever container with full permissions won't fix anything, yes.

But maybe something like when a new user connects, fork a new process to handle that user, create appropriately restricted namespaces for that process (call it a "container" if you like), and finally switch the process uid to that user?

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 16:53 UTC (Sun) by marcH (subscriber, #57642) [Link]

Sounds like https://www.infoq.com/news/2014/06/everything-google-cont...

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 19:24 UTC (Wed) by ssmith32 (subscriber, #72404) [Link]

You'd still need to deal with giving multiple users different levels of access (r/w, at least), to the same file/directory. But it would help with the directory escape bugs.