From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754139AbbJ0VPp (ORCPT ); Tue, 27 Oct 2015 17:15:45 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:46463 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753406AbbJ0VPd (ORCPT ); Tue, 27 Oct 2015 17:15:33 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Seth Forshee Cc: Dirk Steinmetz , Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andy Lutomirski , Kees Cook , Serge Hallyn References: <1444489163-24266-1-git-send-email-public@rsjtdrjgfuzkfg.com> <1445350159-5489-1-git-send-email-public@rsjtdrjgfuzkfg.com> <20151027143344.GB132460@ubuntu-hedt> Date: Tue, 27 Oct 2015 16:04:25 -0500 In-Reply-To: <20151027143344.GB132460@ubuntu-hedt> (Seth Forshee's message of "Tue, 27 Oct 2015 09:33:44 -0500") Message-ID: <87bnbkxbty.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX18HBO7KuJe+eHn+MEF7jj4LCGo6SSEVB0Y= X-SA-Exim-Connect-IP: 67.3.201.231 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Seth Forshee X-Spam-Relay-Country: X-Spam-Timing: total 4577 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.6 (0.1%), b_tie_ro: 2.7 (0.1%), parse: 0.67 (0.0%), extract_message_metadata: 16 (0.4%), get_uri_detail_list: 2.0 (0.0%), tests_pri_-1000: 7 (0.1%), tests_pri_-950: 1.33 (0.0%), tests_pri_-900: 1.08 (0.0%), tests_pri_-400: 28 (0.6%), check_bayes: 26 (0.6%), b_tokenize: 7 (0.2%), b_tok_get_all: 9 (0.2%), b_comp_prob: 3.5 (0.1%), b_tok_touch_all: 3.5 (0.1%), b_finish: 0.90 (0.0%), tests_pri_0: 270 (5.9%), tests_pri_500: 4245 (92.7%), poll_dns_idle: 4237 (92.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] namei: permit linking with CAP_FOWNER in userns X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Seth Forshee writes: > On Tue, Oct 20, 2015 at 04:09:19PM +0200, Dirk Steinmetz wrote: >> Attempting to hardlink to an unsafe file (e.g. a setuid binary) from >> within an unprivileged user namespace fails, even if CAP_FOWNER is held >> within the namespace. This may cause various failures, such as a gentoo >> installation within a lxc container failing to build and install specific >> packages. >> >> This change permits hardlinking of files owned by mapped uids, if >> CAP_FOWNER is held for that namespace. Furthermore, it improves consistency >> by using the existing inode_owner_or_capable(), which is aware of >> namespaced capabilities as of 23adbe12ef7d3 ("fs,userns: Change >> inode_capable to capable_wrt_inode_uidgid"). >> >> Signed-off-by: Dirk Steinmetz > > Tested-by: Seth Forshee If multiple groups are hitting this issue for different reasons I am applying the supplied patch. > This is hitting us in Ubuntu during some dpkg upgrades in containers. > When upgrading a file dpkg creates a hard link to the old file to back > it up before overwriting it. When packages upgrade suid files owned by a > non-root user the link isn't permitted, and the package upgrade fails. > This patch fixes our problem. > > I did want to point what seems to be an inconsistency in how > capabilities in user namespaces are handled with respect to inodes. When > I started looking at this my initial thought was to replace > capable(CAP_FOWNER) with capable_wrt_inode_uidgid(inode, CAP_FOWNER). On > the face of it this should be equivalent to what's done here, but it > turns out that capable_wrt_inode_uidgid requires that the inode's uid > and gid are both mapped into the namespace whereas > inode_owner_or_capable only requires the uid be mapped. I'm not sure how > significant that is, but it seems a bit odd. It is a bit odd. inode_owner_or_capable in this context is a gimme, as only being the owner of the file in question is enough to create a hard link, and root (in the user namespace) can become that user. That said I think there have been some legitimate questions about setgid executables in may_linkat (raised down thread), as well as legitimate questions about capable_wrt_uidgid. I will add the additional question is it sane for us to ignore the acls in capable_wrt_uidgid. All of this appears to be an area that no one except bad actors cares about so I expect we can change things without causing regressions, and on that note I encourage the conversation on the oddness to continue. Eric