Re: [PATCH] namei: permit linking with CAP_FOWNER in userns

From: Eric W. Biederman
Date: Tue Oct 27 2015 - 17:15:48 EST

Next message: Michal Marek: "Re: [PATCH 4/4] Mark files generated by confdata.c"
Previous message: Leonid Yegoshin: "Re: [v3, 3/3] MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()"
In reply to: Serge Hallyn: "Re: [PATCH] namei: permit linking with CAP_FOWNER in userns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Seth Forshee <seth.forshee@xxxxxxxxxxxxx> writes:

> On Tue, Oct 20, 2015 at 04:09:19PM +0200, Dirk Steinmetz wrote:
>> Attempting to hardlink to an unsafe file (e.g. a setuid binary) from
>> within an unprivileged user namespace fails, even if CAP_FOWNER is held
>> within the namespace. This may cause various failures, such as a gentoo
>> installation within a lxc container failing to build and install specific
>> packages.
>>
>> This change permits hardlinking of files owned by mapped uids, if
>> CAP_FOWNER is held for that namespace. Furthermore, it improves consistency
>> by using the existing inode_owner_or_capable(), which is aware of
>> namespaced capabilities as of 23adbe12ef7d3 ("fs,userns: Change
>> inode_capable to capable_wrt_inode_uidgid").
>>
>> Signed-off-by: Dirk Steinmetz <public@xxxxxxxxxxxxxxxxxx>
>
> Tested-by: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>

If multiple groups are hitting this issue for different reasons
I am applying the supplied patch.

> This is hitting us in Ubuntu during some dpkg upgrades in containers.
> When upgrading a file dpkg creates a hard link to the old file to back
> it up before overwriting it. When packages upgrade suid files owned by a
> non-root user the link isn't permitted, and the package upgrade fails.
> This patch fixes our problem.
>
> I did want to point what seems to be an inconsistency in how
> capabilities in user namespaces are handled with respect to inodes. When
> I started looking at this my initial thought was to replace
> capable(CAP_FOWNER) with capable_wrt_inode_uidgid(inode, CAP_FOWNER). On
> the face of it this should be equivalent to what's done here, but it
> turns out that capable_wrt_inode_uidgid requires that the inode's uid
> and gid are both mapped into the namespace whereas
> inode_owner_or_capable only requires the uid be mapped. I'm not sure how
> significant that is, but it seems a bit odd.

It is a bit odd.

inode_owner_or_capable in this context is a gimme, as only being the
owner of the file in question is enough to create a hard link, and root
(in the user namespace) can become that user.

That said I think there have been some legitimate questions about setgid
executables in may_linkat (raised down thread), as well as legitimate
questions about capable_wrt_uidgid. I will add the additional question
is it sane for us to ignore the acls in capable_wrt_uidgid.

All of this appears to be an area that no one except bad actors cares
about so I expect we can change things without causing regressions, and
on that note I encourage the conversation on the oddness to continue.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Marek: "Re: [PATCH 4/4] Mark files generated by confdata.c"
Previous message: Leonid Yegoshin: "Re: [v3, 3/3] MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()"
In reply to: Serge Hallyn: "Re: [PATCH] namei: permit linking with CAP_FOWNER in userns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]