wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Julian Orth <ju.orth@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Setting the transit namespace at runtime
Date: Sun, 9 Sep 2018 16:27:43 -0600	[thread overview]
Message-ID: <CAHmME9qYX8AEtOWo-u2E90mnKy+HeT-cb8KH8b9q3GUsmjxzDg@mail.gmail.com> (raw)
In-Reply-To: <CAHijbEX8cRGA3_NFdRqFCraLns_UhaSbX0yFJTax8bsFvAP9XQ@mail.gmail.com>

Hi Julian,

On Fri, Sep 7, 2018 at 1:06 PM Julian Orth <ju.orth@gmail.com> wrote:
> > I'd thought of this early on, but failed to come up with what seemed
> > like an actually realistic use case for it.
>
> How about creating Wireguard devices as a user that has no
> privileges/capabilites in the init namespace?
>
> $ unshare -r -U -m
> $ mount --bind /proc/self/ns/net init-ns
> $ unshare -n
> $ ./setup-wg0.sh
> $ wg set wg0 transit-net init-ns

That looks to me like a security vulnerability. User namespace sets
listen-port to < 1024, and then moves it into the target namespace,
and bam, controls subverted.

It might be wise, then, to include with this a capability check
relative to the destination socket namespace, but that needs a check
on both ends -- when you change the socket namespace and when you
change the listen port, to make sure they correspond. However, if
you're restricting setting the namespace and the listen port to
cap_net_admin, then the above is no longer a good reason for this
patchset, thereby begging my initial question.

I saw you posted patches to the mailing list. I'll review these soon
on my way back home on the flight tomorrow. In the mean time, if you
send me your SSH public key (perhaps privately), we can add you to the
WireGuard git repository, so that you can push to branches that begin
with "jo/".

Jason

  reply	other threads:[~2018-09-09 22:27 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-03 16:16 Setting the transit namespace at runtime Julian Orth
2018-09-06 20:42 ` Julian Orth
2018-09-07  1:29   ` Jason A. Donenfeld
2018-09-07  1:26 ` Jason A. Donenfeld
2018-09-07 19:06   ` Julian Orth
2018-09-09 22:27     ` Jason A. Donenfeld [this message]
2018-09-10  7:16       ` Julian Orth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9qYX8AEtOWo-u2E90mnKy+HeT-cb8KH8b9q3GUsmjxzDg@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=ju.orth@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).