Skip to content

newuidmap/newgidmap: install with file capabilities #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hallyn merged 1 commit into from
Oct 27, 2018
Merged

newuidmap/newgidmap: install with file capabilities #136

hallyn merged 1 commit into from
Oct 27, 2018

Conversation

@giuseppe
Copy link
Contributor

@giuseppe giuseppe commented Oct 24, 2018

do not install newuidmap/newgidmap as suid binaries. Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Alternative solution for #132

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

brauner
brauner reviewed Oct 24, 2018
View reviewed changes
src/Makefile.am
chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
done
endif
if ENABLE_SUBIDS
Copy link
Collaborator

@brauner brauner Oct 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure that this is opt-in. So that the distros can decide whether they want these to be suid binaries or fscaps binaries. This is important when wanting to build shadow in user namespaces.

Copy link
Contributor Author

@giuseppe giuseppe Oct 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a --with-fcaps switch to configure

@AkihiroSuda
Copy link

AkihiroSuda commented Oct 24, 2018

Alternative solution for #132

I'm not sure this can be alternative, because setting file capabilities in user namespace is not supported for Kernel < 4.14

@giuseppe giuseppe mentioned this pull request Oct 24, 2018
Merged
@giuseppe giuseppe force-pushed the fcap-newuidmap-newgidmap branch from e1ef37a to c9ea9d0 Compare October 24, 2018 10:44
@giuseppe
Copy link
Contributor Author

giuseppe commented Oct 24, 2018

I'm not sure this can be alternative, because setting file capabilities in user namespace is not supported for Kernel < 4.14

thinking more of it: the two solutions are not really complementary to each other, they can be both used and they address the issue in a different way.

@brauner
Copy link
Collaborator

brauner commented Oct 24, 2018

thinking more of it: the two solutions are not really complementary to each other, they can be both used and they address the issue in a different way.

When compiling it needs to be suid xor fscaps.

@ebiederm
Copy link

ebiederm commented Oct 24, 2018

@AkihiroSuda

Alternative solution for #132

I'm not sure this can be alternative, because setting file capabilities in user namespace is not supported for Kernel < 4.14

Where does this matter?

I presume if you are playing with a container and you are dropping capabilities you are doing so because you have real root inside the container. As such what you can do inside a user namespace should not be relevant.

Further file capabilities set outside of a user namespace continue to work inside the user namespaces on any kernel that supports user namespaces. The binaries that use file capabilities are just then limited to having those file capabilities inside the user namespace in which they run.

@hallyn
Copy link
Member

hallyn commented Oct 24, 2018

I opened PR #137 before I saw this, sorry.

Please update configure.ac to ensure that setcap is installed before doing everything else.

Then assuming you've test-built this with and without filecaps flag, I'll merge this one.

@giuseppe
newuidmap/newgidmap: install with file capabilities
7097145 
do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the fcap-newuidmap-newgidmap branch from c9ea9d0 to 7097145 Compare October 24, 2018 21:21
@giuseppe
Copy link
Contributor Author

giuseppe commented Oct 24, 2018

Please update configure.ac to ensure that setcap is installed before doing everything else.

I've pushed an updated version where I've added a check for setcap

@AkihiroSuda
Copy link

AkihiroSuda commented Oct 25, 2018

I'm not sure this can be alternative, because setting file capabilities in user namespace is not supported for Kernel < 4.14

Where does this matter?

It matters

  • when building a rootfs image (especially for containers but not limited to) with newuidmap/newgidmap binaries in a user namespace. e.g. building an image of img using img itself.
  • when unpacking a rootfs archive with newuidmap/newgidmap binaries in a user namespace

I presume if you are playing with a container and you are dropping capabilities you are doing so because you have real root inside the container.

No

@AkihiroSuda
Copy link

AkihiroSuda commented Oct 25, 2018

I'm also wondering there might be some container builder & runtime implementations that does not support filecaps?

@cyphar
Copy link
Contributor

cyphar commented Oct 25, 2018

I'm also wondering there might be some container builder & runtime implementations that does not support filecaps?

In general they would be non-OCI compliant or just not a useful runtime (most distributions use fscaps for /usr/bin/ping). But AUFS would have some issues since it has "interesting" xattr support -- but AUFS has many other issues and I don't think it makes much sense to accommodate it given that very few people use it nowadays.

@giuseppe
Copy link
Contributor Author

giuseppe commented Oct 25, 2018

@brauner @hallyn should we default to installing with file caps? I am not really sure what the default should be :)

@brauner
Copy link
Collaborator

brauner commented Oct 25, 2018

@giuseppe, default to setuid for now and in a year when namespaced file caps have found even more adoption and the new LTS kernel is out we make an announcement and make fscaps the default. We can announce in this release that we plan on switching over new*idmap to fscaps in the next release.

@giuseppe
Copy link
Contributor Author

giuseppe commented Oct 25, 2018

@brauner That makes sense, thanks for the clarification. Could we reconsider #132 in the meanwhile since newuidmap/newgidmap will still be used as suid binaries for now?

@hallyn hallyn merged commit bb3f810 into shadow-maint:master Oct 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brauner brauner brauner left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@giuseppe @AkihiroSuda @brauner @ebiederm @hallyn @cyphar