Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753470AbbDBOHB (ORCPT ); Thu, 2 Apr 2015 10:07:01 -0400 Received: from mail-lb0-f169.google.com ([209.85.217.169]:34363 "EHLO mail-lb0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752093AbbDBOG2 (ORCPT ); Thu, 2 Apr 2015 10:06:28 -0400 MIME-Version: 1.0 In-Reply-To: <1427969525.3559.120.camel@HansenPartnership.com> References: <1427447013.2250.9.camel@HansenPartnership.com> <1427788642.4411.12.camel@redhat.com> <1427807248.2117.117.camel@HansenPartnership.com> <1427808184.2117.122.camel@HansenPartnership.com> <1427810118.2117.126.camel@HansenPartnership.com> <1427810886.2117.129.camel@HansenPartnership.com> <1427811444.4411.20.camel@redhat.com> <1427969525.3559.120.camel@HansenPartnership.com> From: Andy Lutomirski Date: Thu, 2 Apr 2015 07:06:06 -0700 Message-ID: Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options To: James Bottomley Cc: Alexander Larsson , gnome-os-list@gnome.org, Linux Containers , "linux-kernel@vger.kernel.org" , mclasen@redhat.com, "Eric W. Biederman" , Linux FS Devel Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2831 Lines: 69 On Thu, Apr 2, 2015 at 3:12 AM, James Bottomley wrote: > On Tue, 2015-03-31 at 16:17 +0200, Alexander Larsson wrote: >> On tis, 2015-03-31 at 17:08 +0300, James Bottomley wrote: >> > On Tue, 2015-03-31 at 06:59 -0700, Andy Lutomirski wrote: >> > > >> > > I don't think that this is correct. That user can already create a >> > > nested userns and map themselves as 0 inside it. Then they can mount >> > > devpts. >> > >> > I don't mind if they create a container and control the isolated ttys in >> > that sub container in the VPS; that's fine. I do mind if they get >> > access to the ttys in the VPS. >> > >> > If you can convince me (and the rest of Linux) that the tty subsystem >> > should be mountable by an unprivileged user generally, then what you >> > propose is OK. >> >> That is controlled by the general rights to mount stuff. I.e. unless you >> have CAP_SYS_ADMIN in the VPS container you will not be able to mount >> devpts there. You can only do it in a subcontainer where you got >> permissions to mount via using user namespaces. > > OK let me try again. Fine, if you want to speak capabilities, you've > given a non-root user an unexpected capability (the capability of > creating a ptmx device). But you haven't used a capability separation > to do this, you've just hard coded it via a mount parameter mechanism. > > If you want to do this thing, do it properly, so it's acceptable to the > whole of Linux, not a special corner case for one particular type of > container. > > Security breaches are created when people code in special, little used, > corner cases because they don't get as thoroughly tested and inspected > as generally applicable mechanisms. > > What you want is to be able to use the tty subsystem as a non root user: > fine, but set that up globally, don't hide it in containers so a lot > fewer people care. I tend to agree, and not just for the tty subsystem. This is an attack surface issue. With unprivileged user namespaces, unprivileged users can create mount namespaces (probably a good thing for bind mounts, etc), network namespaces (reasonably safe by themselves), network interfaces and iptables rules (scary), fresh instances/superblocks of some filesystems (scariness depends on the fs -- tmpfs is probably fine), and more. I think we should have real controls for this, and this is mostly Eric's domain. Eric? A silly issue that sometimes prevents devpts from being mountable isn't a real control, though. --Andy > > James > > -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/