From: Manuel Bouyer <bouyer@antioche.eu.org>
To: Ian Jackson <iwj@xenproject.org>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>,
"George Dunlap" <george.dunlap@citrix.com>,
xen-devel@lists.xenproject.org, "Wei Liu" <wl@xen.org>,
"Anthony PERARD" <anthony.perard@citrix.com>
Subject: Re: [PATCH] libs/light: make it build without setresuid()
Date: Wed, 20 Jan 2021 18:20:46 +0100 [thread overview]
Message-ID: <20210120172046.GA5772@antioche.eu.org> (raw)
In-Reply-To: <24584.25612.523093.188718@mariner.uk.xensource.com>
On Wed, Jan 20, 2021 at 05:10:36PM +0000, Ian Jackson wrote:
> Manuel Bouyer writes ("Re: [PATCH] libs/light: make it build without setresuid()"):
> > On Wed, Jan 20, 2021 at 03:32:29PM +0000, Ian Jackson wrote:
> > > Yes, the dm is qemu. If qemu restriction is not supported, that makes
> > > a big difference. The complex situation here is to do with trying to
> > > kill a possibly hostile qemu.
> >
> > Hum, I'll have to check this (how to check, BTW ?).
> > I assumed qemu was running as root but it may not be completely true.
> > Especially as I notice, now that I'm re-reading the patch, that
> > we're doing a kill to -1. If we were doing so as root, user processes
> > would be killed.
>
> It may well be that this whole piece of code won't be executed on
> NetBSD becauwe dm restriction will be off.
>
> The background: dm restriction is a set of arrangements for trying to
> run qemu without given it any more privilege than it needs, and
> certainly not ultimate privilege over the host. This is quite
> complicated and includes running it as a non-root user, chroot, and so
> on.
>
> On Linux it's run in its own network namespace, so that a qemu
> compromised by the guest cannot access host daemons. IDK what
> facilities one might want to use on NetBSD to try to contain qemu.
>
> This seems to me all a matter for future work. I'm sorry that code
> for a feature you're not going to be benefiting from is getting in
> your way.
On NetBSD we could start with a different uid and a chroot. This would
limit damages.
> > > right answer.)
> >
> > This would have to be checked, but I don't think a non-root process
> > can ptrace a process whose saved-user-id is root.
>
> If I remember rightly the saved-set-id is reset by setuid. But I
> could be wrong. This stuff is all quite complex :-/.
yes, setuid() resets the saved-user-id
>
> > Actually I think I could mimic the setresuid() with setreuid() and seteuid().
>
> My last mail had in it a thing that claims to be a proof that this is
> not possible.
This code:
if (setreuid(375,0) < 0) {
err(1, "setreuid");
}
if (seteuid(374) < 0) {
err(1, "seteuid");
}
if (kill(-1, 9)) {
err(1, "kill");
}
printf("kill done\n");
if (seteuid(0) < 0) {
err(1, "setreuid2");
}
exit(0);
actually works on NetBSD. processes from 375 are killed, and the
seteuid(0) call succeeds (showing that the saved used id is still 0).
> >
> > Actually I don't see how I could split this in a different file, without
> > lot of duplicate code (even in just kill_device_model_uid_child(),
> > we're talking of about 7 lines of code out of 75). So some guidance here
> > would be welcome.
>
> I think splitting it out at precisely the function needed is probably
> better.
>
> Can you try this experiment: what happens if you replace the call to
> setresuid with abort() ? I think you may find it all works, because
> you're not using that code path.
>
> If so then I suggest introducing
>
> int libxl__setresuid(uid_t ruid, uid_t euid, uid_t suid);
>
> which would call setresuid on Linux and on NetBSD would do this
>
> assert(!"setresuid is not available on NetBSD, and dm restrction is not supported, so this code path should not have been reached")
>
> What do you think ?
As this is supported by Xen, I hope I can make at last run qemu with a
non-zero uid.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
next prev parent reply other threads:[~2021-01-20 17:21 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-12 18:12 [PATCH] Fix error: array subscript has type 'char' Manuel Bouyer
2021-01-12 18:12 ` [PATCH] NetBSD: Fix lock directory path Manuel Bouyer
2021-01-15 15:09 ` Roger Pau Monné
2021-01-15 15:13 ` Manuel Bouyer
2021-01-15 15:30 ` Andrew Cooper
2021-01-12 18:12 ` [PATCH] NetBSD hotplug: Introduce locking functions Manuel Bouyer
2021-01-27 15:57 ` Ian Jackson
2021-01-27 19:29 ` Manuel Bouyer
2021-01-28 14:05 ` Ian Jackson
2021-01-12 18:12 ` [PATCH] NetBSD hotplug: fix block unconfigure on destroy Manuel Bouyer
2021-01-15 15:27 ` Roger Pau Monné
2021-01-26 16:47 ` Manuel Bouyer
2021-01-27 9:40 ` Roger Pau Monné
2021-01-27 9:47 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] NetBSD hotplug: handle case where vifname is not present Manuel Bouyer
2021-01-15 16:06 ` Roger Pau Monné
2021-01-26 16:49 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] NetBSD: remove xenbackendd Manuel Bouyer
2021-01-15 15:31 ` Roger Pau Monné
2021-01-18 18:31 ` Andrew Cooper
2021-01-18 18:41 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] NetBSD: use system-provided headers Manuel Bouyer
2021-01-15 16:01 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] gdbsx: use right path for privcmd Manuel Bouyer
2021-01-18 18:03 ` Roger Pau Monné
2021-01-18 18:45 ` Andrew Cooper
2021-01-18 19:05 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] libs/call: fix build on NetBSD Manuel Bouyer
2021-01-18 18:00 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/evtchn: " Manuel Bouyer
2021-01-18 18:01 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/foreignmemory: Implement " Manuel Bouyer
2021-01-18 17:49 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/gnttab: implement " Manuel Bouyer
2021-01-18 17:54 ` Roger Pau Monné
2021-01-26 17:05 ` Manuel Bouyer
2021-01-27 9:31 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/light: Switch NetBSD to QEMU_XEN Manuel Bouyer
2021-01-18 17:28 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/light: fix tv_sec printf format Manuel Bouyer
2021-01-18 18:19 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/light: fix uuid on NetBSD Manuel Bouyer
2021-01-15 17:27 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] libs/light: make it build without setresuid() Manuel Bouyer
2021-01-18 18:16 ` Roger Pau Monné
2021-01-20 14:52 ` Ian Jackson
2021-01-20 15:13 ` Manuel Bouyer
2021-01-20 15:32 ` Ian Jackson
2021-01-20 16:56 ` Manuel Bouyer
2021-01-20 17:10 ` Ian Jackson
2021-01-20 17:20 ` Manuel Bouyer [this message]
2021-01-20 17:29 ` Ian Jackson
2021-01-27 16:03 ` Ian Jackson
2021-01-27 19:34 ` Manuel Bouyer
2021-01-28 11:39 ` Ian Jackson
2021-01-30 11:57 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] libs/light: pass some infos to qemu Manuel Bouyer
2021-01-16 10:16 ` Roger Pau Monné
2021-01-16 11:25 ` Manuel Bouyer
2021-01-18 8:36 ` Roger Pau Monné
2021-01-18 8:52 ` Manuel Bouyer
2021-01-18 9:07 ` Roger Pau Monné
2021-01-18 9:24 ` Manuel Bouyer
2021-01-26 22:42 ` Manuel Bouyer
2021-01-27 9:06 ` Roger Pau Monné
2021-01-27 9:49 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] libs/store: make build without PTHREAD_STACK_MIN Manuel Bouyer
2021-01-18 18:18 ` Roger Pau Monné
2021-01-18 18:56 ` Andrew Cooper
2021-01-18 19:05 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] ocaml/libs/eventchn: drop unneeded evtchn.h Manuel Bouyer
2021-01-13 9:22 ` Christian Lindig
2021-01-13 9:40 ` Manuel Bouyer
2021-01-12 18:12 ` [PATCH] xenpaging.c: include errno.h Manuel Bouyer
2021-01-15 16:08 ` Roger Pau Monné
2021-01-12 18:12 ` [PATCH] xenpmd.c: use dynamic allocation Manuel Bouyer
2021-01-27 15:57 ` Ian Jackson
2021-01-12 18:12 ` [PATCH] xenstat_netbsd: remove usused code Manuel Bouyer
2021-01-18 18:06 ` Roger Pau Monné
2021-01-14 10:53 ` [PATCH] Fix error: array subscript has type 'char' Jan Beulich
2021-01-14 12:29 ` Manuel Bouyer
2021-01-14 13:25 ` Jan Beulich
2021-01-14 14:16 ` Manuel Bouyer
2021-01-26 17:44 ` Manuel Bouyer
2021-01-26 17:59 ` Ian Jackson
2021-01-27 8:31 ` Jan Beulich
2021-01-27 8:37 ` Jan Beulich
2021-01-27 13:53 ` [PATCH] Fix error: array subscript has type 'char' [and 1 more messages] Ian Jackson
2021-01-27 14:33 ` Jan Beulich
2021-01-27 16:21 ` Ian Jackson
2021-01-27 16:32 ` Jan Beulich
2021-01-27 16:52 ` George Dunlap
2021-01-27 17:00 ` Jan Beulich
2021-01-27 17:00 ` Ian Jackson
2021-01-18 19:08 ` NetBSD patches Andrew Cooper
2021-01-18 19:11 ` Manuel Bouyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210120172046.GA5772@antioche.eu.org \
--to=bouyer@antioche.eu.org \
--cc=anthony.perard@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=iwj@xenproject.org \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).