From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: [REVIEW][PATCH 0/43] Completing the user namespace Date: Tue, 10 Apr 2012 23:37:17 -0500 Message-ID: <20120411043717.GD7153@sergelap> References: <4F84838B.8000408@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Andrew Lutomirski , Markus Gutschke , Will Drewry , Cyrill Gorcunov , linux-security-module@vger.kernel.org, Al Viro , linux-fsdevel@vger.kernel.org, Andrew Morton , Linus Torvalds To: "Eric W. Biederman" Return-path: Received: from youngberry.canonical.com ([91.189.89.112]:46612 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750893Ab2DKEh0 (ORCPT ); Wed, 11 Apr 2012 00:37:26 -0400 Content-Disposition: inline In-Reply-To: Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Quoting Eric W. Biederman (ebiederm@xmission.com): > Andrew Lutomirski writes: > > > On Tue, Apr 10, 2012 at 6:01 PM, Eric W. Biederman > > wrote: > > > Sounds like you're reinventing (something very similar to) > > no_new_privs. Why not just require no_new_privs as a prerequisite for > > creating a user namespace if you're unprivileged? > > As I said in the part of my email you snipped, because no_new_privs will > break suid exec in the user namespace. Andrew, note that once you create a new user namespace, you cannot change your credentials in the ancestor user namespaces. So in effect you already have no_new_privs for those namespaces. So if I'm uid 1001 and I create a task in a new user namespace where 50000 on host is mapped to uid 0 in userns. Now I try to execute a file belonging to uid 500 on the host and setuid. Note that 500 is not mapped into my user namespace. That is what Eric meant by either exec being refused or setuid being ignored. Either way, the file would be executed using uid 50000 on the host (and 0 in the user namespace). -serge