[lxc-devel] [PATCH 1/1] fix root-owned unpriv containers
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 15 00:35:02 UTC 2014
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Sun, 2014-09-14 at 04:49 +0000, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > On Sun, Sep 14, 2014 at 04:38:30AM +0000, Serge Hallyn wrote:
> > > > lxc_map_ids was always using newuidmap if it existed. We don't want
> > > > to use it if we start as root.
> > >
> > > This was actually done on purpose to force everyone with a recent
> > > version of shadow to set proper ranges for root in /etc/subuid and
> > > /etc/subgid to avoid potential clashes at a later point when adding new
> > > users.
>
> > Hm. Seems to me root is not just another user who conflicts, he's a
> > special user.
>
> Hmmm... There are two schools of thought there. One school feels that
> root is NOT a "special" user but merely one that has been permitted
> special permissions. In that universe, the root user may or may not be
> unique and may or may not have universal powers.
>
> The other school of though, obviously, is the classical one where root
> (uid 0) has some very unique attributes peculiar only to the
> "superuser".
I think what convinced me last time was the viewpoint of actually protecting
root. If root has a container using the range 200000-300000, but doesn't
have that range reserved in /etc/subuid, then an unpriv user may eventually
be granted that range, after which he may be able to wreak havoc on root
owned containers.
(I'm snipping the rest of the email here, but not bc I disagree with any
of it - well except the 'root is only special bc ' statement - in fact I
would argue that with the right settings the one thing making root special
is that it is the uid owning the devices and some important host files.)
Here's the alternative patch which explains what's going on:
>From 354b45dc1b87942af5ee04215b5eb464d7dae1ab Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 14 Sep 2014 19:28:03 -0500
Subject: [PATCH 1/1] lxc_map_ids: add a comment
Explain why we insist that root use newuidmap if it is available.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/conf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..e61002b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3429,6 +3429,12 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
enum idtype type;
char *buf = NULL, *pos, *cmdpath = NULL;
+ /*
+ * If newuidmap exists, that is, if shadow is handing out subuid
+ * ranges, then insist that root also reserve ranges in subuid. This
+ * will protected it by preventing another user from being handed the
+ * range by shadow.
+ */
cmdpath = on_path("newuidmap", NULL);
if (cmdpath) {
use_shadow = 1;
--
2.1.0
More information about the lxc-devel
mailing list