Hello Serge,
Your commit:
[[
commit db2e718a47984b9d71ed890eb2ea36ecf150de18
Author: Serge E. Hallyn <[email protected]>
Date: Tue Apr 20 08:43:34 2021 -0500
capabilities: require CAP_SETFCAP to map uid 0
]]
added a new requirement when updating a UID map a user namespace
with a value of '0 0 *'.
Kir sent a patch to briefly document this change, but I think much more
should be written. I've attempted to do so. Could you tell me whether the
following text (to be added in user_namespaces(7)) is accurate please:
[[
In order for a process to write to the /proc/[pid]/uid_map
(/proc/[pid]/gid_map) file, all of the following requirements must
be met:
[...]
4. If updating /proc/[pid]/uid_map to create a mapping that maps
UID 0 in the parent namespace, then one of the following must
be true:
* if writing process is in the parent user namespace, then it
must have the CAP_SETFCAP capability in that user namespace;
or
* if the writing process is in the child user namespace, then
the process that created the user namespace must have had
the CAP_SETFCAP capability when the namespace was created.
This rule has been in place since Linux 5.12. It eliminates an
earlier security bug whereby a UID 0 process that lacks the
CAP_SETFCAP capability, which is needed to create a binary with
namespaced file capabilities (as described in capabilities(7)),
could nevertheless create such a binary, by the following
steps:
* Create a new user namespace with the identity mapping (i.e.,
UID 0 in the new user namespace maps to UID 0 in the parent
namespace), so that UID 0 in both namespaces is equivalent
to the same root user ID.
* Since the child process has the CAP_SETFCAP capability, it
could create a binary with namespaced file capabilities that
would then be effective in the parent user namespace (be‐
cause the root user IDs are the same in the two namespaces).
[...]
]]
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
On Sun, Aug 08, 2021 at 11:09:30AM +0200, Michael Kerrisk (man-pages) wrote:
> Hello Serge,
>
> Your commit:
>
> [[
> commit db2e718a47984b9d71ed890eb2ea36ecf150de18
> Author: Serge E. Hallyn <[email protected]>
> Date: Tue Apr 20 08:43:34 2021 -0500
>
> capabilities: require CAP_SETFCAP to map uid 0
> ]]
>
> added a new requirement when updating a UID map a user namespace
> with a value of '0 0 *'.
>
> Kir sent a patch to briefly document this change, but I think much more
> should be written. I've attempted to do so. Could you tell me whether the
> following text (to be added in user_namespaces(7)) is accurate please:
Sorry for the delay - this did not go into my main mailbox.
The text looks good. Thanks!
> [[
> In order for a process to write to the /proc/[pid]/uid_map
> (/proc/[pid]/gid_map) file, all of the following requirements must
> be met:
>
> [...]
>
> 4. If updating /proc/[pid]/uid_map to create a mapping that maps
> UID 0 in the parent namespace, then one of the following must
> be true:
>
> * if writing process is in the parent user namespace, then it
> must have the CAP_SETFCAP capability in that user namespace;
> or
>
> * if the writing process is in the child user namespace, then
> the process that created the user namespace must have had
> the CAP_SETFCAP capability when the namespace was created.
>
> This rule has been in place since Linux 5.12. It eliminates an
> earlier security bug whereby a UID 0 process that lacks the
> CAP_SETFCAP capability, which is needed to create a binary with
> namespaced file capabilities (as described in capabilities(7)),
> could nevertheless create such a binary, by the following
> steps:
>
> * Create a new user namespace with the identity mapping (i.e.,
> UID 0 in the new user namespace maps to UID 0 in the parent
> namespace), so that UID 0 in both namespaces is equivalent
> to the same root user ID.
>
> * Since the child process has the CAP_SETFCAP capability, it
> could create a binary with namespaced file capabilities that
> would then be effective in the parent user namespace (be‐
> cause the root user IDs are the same in the two namespaces).
>
> [...]
> ]]
>
> Thanks,
>
> Michael
>
> --
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/
Hi Serge
On 8/11/21 1:58 AM, Serge E. Hallyn wrote:
> On Sun, Aug 08, 2021 at 11:09:30AM +0200, Michael Kerrisk (man-pages) wrote:
>> Hello Serge,
>>
Hello Serge,
>> Your commit:
>>
>> [[
>> commit db2e718a47984b9d71ed890eb2ea36ecf150de18
>> Author: Serge E. Hallyn <[email protected]>
>> Date: Tue Apr 20 08:43:34 2021 -0500
>>
>> capabilities: require CAP_SETFCAP to map uid 0
>> ]]
>>
>> added a new requirement when updating a UID map a user namespace
>> with a value of '0 0 *'.
>>
>> Kir sent a patch to briefly document this change, but I think much more
>> should be written. I've attempted to do so. Could you tell me whether the
>> following text (to be added in user_namespaces(7)) is accurate please:
>
> Sorry for the delay - this did not go into my main mailbox.
>
> The text looks good. Thanks!
Thanks for checking it!
Cheers,
Michael
>> [[
>> In order for a process to write to the /proc/[pid]/uid_map
>> (/proc/[pid]/gid_map) file, all of the following requirements must
>> be met:
>>
>> [...]
>>
>> 4. If updating /proc/[pid]/uid_map to create a mapping that maps
>> UID 0 in the parent namespace, then one of the following must
>> be true:
>>
>> * if writing process is in the parent user namespace, then it
>> must have the CAP_SETFCAP capability in that user namespace;
>> or
>>
>> * if the writing process is in the child user namespace, then
>> the process that created the user namespace must have had
>> the CAP_SETFCAP capability when the namespace was created.
>>
>> This rule has been in place since Linux 5.12. It eliminates an
>> earlier security bug whereby a UID 0 process that lacks the
>> CAP_SETFCAP capability, which is needed to create a binary with
>> namespaced file capabilities (as described in capabilities(7)),
>> could nevertheless create such a binary, by the following
>> steps:
>>
>> * Create a new user namespace with the identity mapping (i.e.,
>> UID 0 in the new user namespace maps to UID 0 in the parent
>> namespace), so that UID 0 in both namespaces is equivalent
>> to the same root user ID.
>>
>> * Since the child process has the CAP_SETFCAP capability, it
>> could create a binary with namespaced file capabilities that
>> would then be effective in the parent user namespace (be‐
>> cause the root user IDs are the same in the two namespaces).
>>
>> [...]
>> ]]
>>
>> Thanks,
>>
>> Michael
>>
>> --
>> Michael Kerrisk
>> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
>> Linux/UNIX System Programming Training: http://man7.org/training/
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/