[lxc-devel] [PATCH 1/1] fix root-owned unpriv containers

Stéphane Graber stgraber at ubuntu.com
Fri Sep 19 21:04:23 UTC 2014 

On Mon, Sep 15, 2014 at 12:35:02AM +0000, Serge Hallyn wrote:
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > On Sun, 2014-09-14 at 04:49 +0000, Serge Hallyn wrote:
> > > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > > On Sun, Sep 14, 2014 at 04:38:30AM +0000, Serge Hallyn wrote:
> > > > > lxc_map_ids was always using newuidmap if it existed.  We don't want
> > > > > to use it if we start as root.
> > > > 
> > > > This was actually done on purpose to force everyone with a recent
> > > > version of shadow to set proper ranges for root in /etc/subuid and
> > > > /etc/subgid to avoid potential clashes at a later point when adding new
> > > > users.
> > 
> > > Hm.  Seems to me root is not just another user who conflicts, he's a
> > > special user.
> > 
> > Hmmm...  There are two schools of thought there.  One school feels that
> > root is NOT a "special" user but merely one that has been permitted
> > special permissions.  In that universe, the root user may or may not be
> > unique and may or may not have universal powers.
> > 
> > The other school of though, obviously, is the classical one where root
> > (uid 0) has some very unique attributes peculiar only to the
> > "superuser".
> 
> I think what convinced me last time was the viewpoint of actually protecting
> root.  If root has a container using the range 200000-300000, but doesn't
> have that range reserved in /etc/subuid, then an unpriv user may eventually
> be granted that range, after which he may be able to wreak havoc on root
> owned containers.
> 
> (I'm snipping the rest of the email here, but not bc I disagree with any
> of it - well except the 'root is only special bc ' statement - in fact I
> would argue that with the right settings the one thing making root special
> is that it is the uid owning the devices and some important host files.)
> 
> Here's the alternative patch which explains what's going on:
> 
> From 354b45dc1b87942af5ee04215b5eb464d7dae1ab Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Sun, 14 Sep 2014 19:28:03 -0500
> Subject: [PATCH 1/1] lxc_map_ids: add a comment
> 
> Explain why we insist that root use newuidmap if it is available.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/conf.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 5e61c35..e61002b 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3429,6 +3429,12 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
>  	enum idtype type;
>  	char *buf = NULL, *pos, *cmdpath = NULL;
>  
> +	/*
> +	 * If newuidmap exists, that is, if shadow is handing out subuid
> +	 * ranges, then insist that root also reserve ranges in subuid.  This
> +	 * will protected it by preventing another user from being handed the
> +	 * range by shadow.
> +	 */
>  	cmdpath = on_path("newuidmap", NULL);
>  	if (cmdpath) {
>  		use_shadow = 1;
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140919/7872cc73/attachment.sig>

More information about the lxc-devel mailing list