|
|
Subscribe / Log in / New account

Systemd heads for a big round-number release

Systemd heads for a big round-number release

Posted May 7, 2024 21:17 UTC (Tue) by bluca (subscriber, #118303)
In reply to: Systemd heads for a big round-number release by intelfx
Parent article: Systemd heads for a big round-number release

> mean "disk-image" container managers? Not sure how to call it, but I'm pretty sure podman is already truly unprivileged...

Nope, uses setuid binaries

> Anyway, I can see this could be pretty useful but also dangerous because it would allow the kernel to trip over a potentially malicious filesystem image. I'm assuming polkit/verity integration is there for this exact reason, with polkit covering the workstation use-case and verity covering the "container fleet" use-case?

Yes, pretty much

to post comments

Systemd heads for a big round-number release

Posted May 8, 2024 1:01 UTC (Wed) by intelfx (subscriber, #130118) [Link] (1 responses)

> Nope, uses setuid binaries

Okay, what am I missing here?

# find /usr -perm /u+s,g+s -print0 | parallel -0 -X pacman -Qqo | sort -u | grep -Fxf <(pactree --linear --unique podman)
dbus
krb5
pam
shadow
util-linux

Systemd heads for a big round-number release

Posted May 8, 2024 15:00 UTC (Wed) by pbonzini (subscriber, #60935) [Link]

I think podman uses newuidmap/newgidmap, which is part of the shadow package (it's in a package called shadow-utils on Fedora)

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 1:07 UTC (Wed) by geofft (subscriber, #59789) [Link] (11 responses)

podman uses the newuidmap/newgidmap commands to get access to a range of subuids. There are cases where this is close enough to "unprivileged," because those commands can come from the OS and have a pretty stable/minimal interface, and an unprivileged user can install whatever version of podman they like via whatever means (e.g. building from source) and it will work with the existing newuidmap/newgidmap binaries - nothing in podman itself needs to be setuid.

So, for instance, this is more unprivileged than anything that requires a new version of systemd to be running as root: an unprivileged user will often be on some system that sets up subuids/subgids for them and has the setuid helpers because that's what the distro does by default, but the system is running some existing stable release of a distro. (Also, all of this only works if unprivileged user namespaces are enabled, which some distros are clamping down on.)

It is possible to get podman to work without the setuid binaries at all, though - assuming you don't have subuids set up, you can just do podman run --uidmap 0:0:1, and it will realize it doesn't need to map things. (If you do have /etc/subuid and /etc/subgid files but newuidmap/newgidmap aren't actually setuid, e.g. because you're in some no-new-privs mode or using strace or whatever, it's currently a little bit annoying but doable. I got this working with suitable fake subuidmap and subgidmap commands.)

But also, this is a sort of different thing from what systemd-nspawn has gained a privileged helper for. There isn't anything that handles UID/GID mapping in this setup, is there? So the limitation, which would apply to both systemd-nspawn and fully unprivileged podman, is that you only get a single UID/GID inside the container. Which is often fine but not always.

The privileged helper for systemd-nspawn is, as I understand it, an IPC interface to get a mounted root filesystem for the container. podman does not need privilege for that - but it does need FUSE accessible to unprivileged users, which is another common but not guaranteed configuration. (Or, I think, it can just copy a bunch of files with the default "vfs" driver.) I'm curious if you considered a FUSE approach of some sort to allow using untrusted images.

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 1:12 UTC (Wed) by intelfx (subscriber, #130118) [Link]

Thanks, this has just filled a gap in my understanding (that, to my shame, I did not even realize was there).

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 1:23 UTC (Wed) by geofft (subscriber, #59789) [Link] (5 responses)

On a side note - if systemd wanted to incorporate some IPC interface for doing the thing that newuidmap/newgidmap does but without a setuid binary, that would be awesome, and very much in line with the run0 stuff. I tried looking at whether we could eliminate setuid binaries (or equivalently stick people in a no-new-privs environment at login) at my workplace and I think newuidmap/newgidmap and sudo were the most difficult ones to deal with.

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 9:52 UTC (Wed) by bluca (subscriber, #118303) [Link] (4 responses)

That is exactly what the new IPC does, it's provided by the new service systemd-nsresourced, and that's why as I mentioned this is really setuid-free:

https://www.freedesktop.org/software/systemd/man/devel/sy...

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 14:11 UTC (Wed) by intelfx (subscriber, #130118) [Link] (3 responses)

BTW, is there any reason this uses varlink instead of D-Bus? Are there any plans to reconcile the two, or make Varlink _the_ primary IPC method (obsoleting D-Bus), or is this another one of those "15 competing standards" situations?

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 14:28 UTC (Wed) by bluca (subscriber, #118303) [Link] (1 responses)

The last one

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 14:34 UTC (Wed) by daroc (editor, #160859) [Link]

As my mother says, the nice thing about standards is that there are so many of them.

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 14:35 UTC (Wed) by paulj (subscriber, #341) [Link]

Sounds like NIH. Also, basing a protocol for simplicity on JSON is.... interesting (passing numbers in JSON in a generally robust way is anything but simple).

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 9:55 UTC (Wed) by bluca (subscriber, #118303) [Link] (2 responses)

Podman is not really unprivileged though, as it uses setuid binaries, which escalate privileges of the callers and have all the well-known issues and vulnerabilities. Nspawn doesn't use any of that since this release, and instead gets its UID mappings assigned via IPC from systemd-nsresourced, so it's radically different - no setuid binaries involved.
And this is an IPC API, so anything else can make use of it, if it is enabled on the system, not just nspawn.

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 13:47 UTC (Wed) by rbranco (subscriber, #129813) [Link] (1 responses)

Which command? I don't see any setuid binaries for podman on openSUSE, Fedora, Debian & Ubuntu.

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 13:53 UTC (Wed) by bluca (subscriber, #118303) [Link]

newuidmap and newgidmap

podman unprivileged (Systemd heads for a big round-number release)

Posted May 8, 2024 21:55 UTC (Wed) by paravoid (subscriber, #32869) [Link]

> podman does not need privilege for that - but it does need FUSE accessible to unprivileged users, which is another common but not guaranteed configuration. (Or, I think, it can just copy a bunch of files with the default "vfs" driver.)

I think you're talking about the fuse-overlayfs driver. That's actually not needed anymore: the kernel's overlayfs these days* supports user namespaces, and can thus be used without root (assuming unprivileged user namespaces are enabled of course). So FUSE is not required anymore.

*: Linux >= 5.11


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds