linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Documenting the requirement of CAP_SETFCAP to map UID 0
@ 2021-08-08  9:09 Michael Kerrisk (man-pages)
  2021-08-10 23:58 ` Serge E. Hallyn
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Kerrisk (man-pages) @ 2021-08-08  9:09 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: mtk.manpages, linux-security-module, lkml, Alejandro Colomar,
	Kir Kolyshkin, linux-man

Hello Serge,

Your commit:

[[
commit db2e718a47984b9d71ed890eb2ea36ecf150de18
Author: Serge E. Hallyn <serge@hallyn.com>
Date:   Tue Apr 20 08:43:34 2021 -0500

    capabilities: require CAP_SETFCAP to map uid 0
]]

added a new requirement when updating a UID map a user namespace
with a value of '0 0 *'.

Kir sent a patch to briefly document this change, but I think much more
should be written. I've attempted to do so. Could you tell me whether the
following text (to be added in user_namespaces(7)) is accurate please:

[[
      In  order  for  a  process  to  write  to  the /proc/[pid]/uid_map
       (/proc/[pid]/gid_map) file, all of the following requirements must
       be met:

       [...]

       4. If  updating  /proc/[pid]/uid_map to create a mapping that maps
          UID 0 in the parent namespace, then one of the  following  must
          be true:

          *  if  writing process is in the parent user namespace, then it
             must have the CAP_SETFCAP capability in that user namespace;
             or

          *  if  the writing process is in the child user namespace, then
             the process that created the user namespace  must  have  had
             the CAP_SETFCAP capability when the namespace was created.

          This rule has been in place since Linux 5.12.  It eliminates an
          earlier security bug whereby a UID 0  process  that  lacks  the
          CAP_SETFCAP capability, which is needed to create a binary with
          namespaced file capabilities (as described in capabilities(7)),
          could  nevertheless  create  such  a  binary,  by the following
          steps:

          *  Create a new user namespace with the identity mapping (i.e.,
             UID  0 in the new user namespace maps to UID 0 in the parent
             namespace), so that UID 0 in both namespaces  is  equivalent
             to the same root user ID.

          *  Since  the  child process has the CAP_SETFCAP capability, it
             could create a binary with namespaced file capabilities that
             would  then  be  effective in the parent user namespace (be‐
             cause the root user IDs are the same in the two namespaces).

       [...]
]]

Thanks,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Documenting the requirement of CAP_SETFCAP to map UID 0
  2021-08-08  9:09 Documenting the requirement of CAP_SETFCAP to map UID 0 Michael Kerrisk (man-pages)
@ 2021-08-10 23:58 ` Serge E. Hallyn
  2021-08-11 10:10   ` Michael Kerrisk (man-pages)
  0 siblings, 1 reply; 3+ messages in thread
From: Serge E. Hallyn @ 2021-08-10 23:58 UTC (permalink / raw)
  To: Michael Kerrisk (man-pages)
  Cc: Serge E. Hallyn, linux-security-module, lkml, Alejandro Colomar,
	Kir Kolyshkin, linux-man

On Sun, Aug 08, 2021 at 11:09:30AM +0200, Michael Kerrisk (man-pages) wrote:
> Hello Serge,
> 
> Your commit:
> 
> [[
> commit db2e718a47984b9d71ed890eb2ea36ecf150de18
> Author: Serge E. Hallyn <serge@hallyn.com>
> Date:   Tue Apr 20 08:43:34 2021 -0500
> 
>     capabilities: require CAP_SETFCAP to map uid 0
> ]]
> 
> added a new requirement when updating a UID map a user namespace
> with a value of '0 0 *'.
> 
> Kir sent a patch to briefly document this change, but I think much more
> should be written. I've attempted to do so. Could you tell me whether the
> following text (to be added in user_namespaces(7)) is accurate please:

Sorry for the delay - this did not go into my main mailbox.

The text looks good.  Thanks!

> [[
>       In  order  for  a  process  to  write  to  the /proc/[pid]/uid_map
>        (/proc/[pid]/gid_map) file, all of the following requirements must
>        be met:
> 
>        [...]
> 
>        4. If  updating  /proc/[pid]/uid_map to create a mapping that maps
>           UID 0 in the parent namespace, then one of the  following  must
>           be true:
> 
>           *  if  writing process is in the parent user namespace, then it
>              must have the CAP_SETFCAP capability in that user namespace;
>              or
> 
>           *  if  the writing process is in the child user namespace, then
>              the process that created the user namespace  must  have  had
>              the CAP_SETFCAP capability when the namespace was created.
> 
>           This rule has been in place since Linux 5.12.  It eliminates an
>           earlier security bug whereby a UID 0  process  that  lacks  the
>           CAP_SETFCAP capability, which is needed to create a binary with
>           namespaced file capabilities (as described in capabilities(7)),
>           could  nevertheless  create  such  a  binary,  by the following
>           steps:
> 
>           *  Create a new user namespace with the identity mapping (i.e.,
>              UID  0 in the new user namespace maps to UID 0 in the parent
>              namespace), so that UID 0 in both namespaces  is  equivalent
>              to the same root user ID.
> 
>           *  Since  the  child process has the CAP_SETFCAP capability, it
>              could create a binary with namespaced file capabilities that
>              would  then  be  effective in the parent user namespace (be‐
>              cause the root user IDs are the same in the two namespaces).
> 
>        [...]
> ]]
> 
> Thanks,
> 
> Michael
> 
> -- 
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Documenting the requirement of CAP_SETFCAP to map UID 0
  2021-08-10 23:58 ` Serge E. Hallyn
@ 2021-08-11 10:10   ` Michael Kerrisk (man-pages)
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Kerrisk (man-pages) @ 2021-08-11 10:10 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: mtk.manpages, linux-security-module, lkml, Alejandro Colomar,
	Kir Kolyshkin, linux-man

Hi Serge

On 8/11/21 1:58 AM, Serge E. Hallyn wrote:
> On Sun, Aug 08, 2021 at 11:09:30AM +0200, Michael Kerrisk (man-pages) wrote:
>> Hello Serge,
>>
Hello Serge,


>> Your commit:
>>
>> [[
>> commit db2e718a47984b9d71ed890eb2ea36ecf150de18
>> Author: Serge E. Hallyn <serge@hallyn.com>
>> Date:   Tue Apr 20 08:43:34 2021 -0500
>>
>>     capabilities: require CAP_SETFCAP to map uid 0
>> ]]
>>
>> added a new requirement when updating a UID map a user namespace
>> with a value of '0 0 *'.
>>
>> Kir sent a patch to briefly document this change, but I think much more
>> should be written. I've attempted to do so. Could you tell me whether the
>> following text (to be added in user_namespaces(7)) is accurate please:
> 
> Sorry for the delay - this did not go into my main mailbox.
> 
> The text looks good.  Thanks!

Thanks for checking it!

Cheers,

Michael

>> [[
>>       In  order  for  a  process  to  write  to  the /proc/[pid]/uid_map
>>        (/proc/[pid]/gid_map) file, all of the following requirements must
>>        be met:
>>
>>        [...]
>>
>>        4. If  updating  /proc/[pid]/uid_map to create a mapping that maps
>>           UID 0 in the parent namespace, then one of the  following  must
>>           be true:
>>
>>           *  if  writing process is in the parent user namespace, then it
>>              must have the CAP_SETFCAP capability in that user namespace;
>>              or
>>
>>           *  if  the writing process is in the child user namespace, then
>>              the process that created the user namespace  must  have  had
>>              the CAP_SETFCAP capability when the namespace was created.
>>
>>           This rule has been in place since Linux 5.12.  It eliminates an
>>           earlier security bug whereby a UID 0  process  that  lacks  the
>>           CAP_SETFCAP capability, which is needed to create a binary with
>>           namespaced file capabilities (as described in capabilities(7)),
>>           could  nevertheless  create  such  a  binary,  by the following
>>           steps:
>>
>>           *  Create a new user namespace with the identity mapping (i.e.,
>>              UID  0 in the new user namespace maps to UID 0 in the parent
>>              namespace), so that UID 0 in both namespaces  is  equivalent
>>              to the same root user ID.
>>
>>           *  Since  the  child process has the CAP_SETFCAP capability, it
>>              could create a binary with namespaced file capabilities that
>>              would  then  be  effective in the parent user namespace (be‐
>>              cause the root user IDs are the same in the two namespaces).
>>
>>        [...]
>> ]]
>>
>> Thanks,
>>
>> Michael
>>
>> -- 
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-11 10:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-08  9:09 Documenting the requirement of CAP_SETFCAP to map UID 0 Michael Kerrisk (man-pages)
2021-08-10 23:58 ` Serge E. Hallyn
2021-08-11 10:10   ` Michael Kerrisk (man-pages)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).