From: ebiederm@xmission.com (Eric W. Biederman)
To: Seth Forshee <seth.forshee@canonical.com>
Cc: Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
Kees Cook <keescook@chromium.org>,
Serge Hallyn <serge.hallyn@canonical.com>
Subject: Re: [PATCH] namei: permit linking with CAP_FOWNER in userns
Date: Tue, 27 Oct 2015 16:04:25 -0500 [thread overview]
Message-ID: <87bnbkxbty.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20151027143344.GB132460@ubuntu-hedt> (Seth Forshee's message of "Tue, 27 Oct 2015 09:33:44 -0500")
Seth Forshee <seth.forshee@canonical.com> writes:
> On Tue, Oct 20, 2015 at 04:09:19PM +0200, Dirk Steinmetz wrote:
>> Attempting to hardlink to an unsafe file (e.g. a setuid binary) from
>> within an unprivileged user namespace fails, even if CAP_FOWNER is held
>> within the namespace. This may cause various failures, such as a gentoo
>> installation within a lxc container failing to build and install specific
>> packages.
>>
>> This change permits hardlinking of files owned by mapped uids, if
>> CAP_FOWNER is held for that namespace. Furthermore, it improves consistency
>> by using the existing inode_owner_or_capable(), which is aware of
>> namespaced capabilities as of 23adbe12ef7d3 ("fs,userns: Change
>> inode_capable to capable_wrt_inode_uidgid").
>>
>> Signed-off-by: Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>
>
> Tested-by: Seth Forshee <seth.forshee@canonical.com>
If multiple groups are hitting this issue for different reasons
I am applying the supplied patch.
> This is hitting us in Ubuntu during some dpkg upgrades in containers.
> When upgrading a file dpkg creates a hard link to the old file to back
> it up before overwriting it. When packages upgrade suid files owned by a
> non-root user the link isn't permitted, and the package upgrade fails.
> This patch fixes our problem.
>
> I did want to point what seems to be an inconsistency in how
> capabilities in user namespaces are handled with respect to inodes. When
> I started looking at this my initial thought was to replace
> capable(CAP_FOWNER) with capable_wrt_inode_uidgid(inode, CAP_FOWNER). On
> the face of it this should be equivalent to what's done here, but it
> turns out that capable_wrt_inode_uidgid requires that the inode's uid
> and gid are both mapped into the namespace whereas
> inode_owner_or_capable only requires the uid be mapped. I'm not sure how
> significant that is, but it seems a bit odd.
It is a bit odd.
inode_owner_or_capable in this context is a gimme, as only being the
owner of the file in question is enough to create a hard link, and root
(in the user namespace) can become that user.
That said I think there have been some legitimate questions about setgid
executables in may_linkat (raised down thread), as well as legitimate
questions about capable_wrt_uidgid. I will add the additional question
is it sane for us to ignore the acls in capable_wrt_uidgid.
All of this appears to be an area that no one except bad actors cares
about so I expect we can change things without causing regressions, and
on that note I encourage the conversation on the oddness to continue.
Eric
next prev parent reply other threads:[~2015-10-27 21:15 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-10 14:59 [PATCH] namei: permit linking with CAP_FOWNER in userns Dirk Steinmetz
2015-10-20 14:09 ` Dirk Steinmetz
2015-10-27 14:33 ` Seth Forshee
2015-10-27 18:08 ` Dirk Steinmetz
2015-10-27 20:28 ` Serge Hallyn
2015-10-28 15:07 ` Dirk Steinmetz
2015-10-28 17:33 ` Serge Hallyn
2015-11-02 15:10 ` Dirk Steinmetz
2015-11-02 18:02 ` Serge Hallyn
2015-11-02 19:57 ` Andy Lutomirski
2015-11-03 0:39 ` [RFC] namei: prevent sgid-hardlinks for unmapped gids Dirk Steinmetz
2015-11-03 15:44 ` Serge Hallyn
2015-11-03 18:20 ` Kees Cook
2015-11-03 23:21 ` Dirk Steinmetz
2015-11-03 23:29 ` Kees Cook
2015-11-04 6:58 ` Willy Tarreau
2015-11-04 17:59 ` Andy Lutomirski
2015-11-04 18:15 ` Willy Tarreau
2015-11-04 18:17 ` Andy Lutomirski
2015-11-04 18:28 ` Willy Tarreau
2015-11-06 21:59 ` Kees Cook
2015-11-06 22:30 ` Andy Lutomirski
2015-11-07 0:11 ` Kees Cook
2015-11-07 0:16 ` Kees Cook
2015-11-07 0:48 ` Andy Lutomirski
2015-11-07 5:05 ` Kees Cook
2015-11-08 2:02 ` Theodore Ts'o
2015-11-10 15:08 ` Jan Kara
2015-11-19 20:11 ` Kees Cook
2015-11-19 21:57 ` Andy Lutomirski
2015-11-19 22:02 ` Dave Chinner
2015-11-20 0:11 ` Kees Cook
2015-11-04 14:46 ` Serge E. Hallyn
2015-10-27 21:04 ` Eric W. Biederman [this message]
2015-11-03 17:51 ` [PATCH] namei: permit linking with CAP_FOWNER in userns Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bnbkxbty.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=public@rsjtdrjgfuzkfg.com \
--cc=serge.hallyn@canonical.com \
--cc=seth.forshee@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).