unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: bokr@bokr.com
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: othacehe@gnu.org, Maxim Cournoyer <maxim.cournoyer@gmail.com>,
	54786@debbugs.gnu.org
Subject: bug#54786: Installation tests are failing
Date: Wed, 8 Jun 2022 02:58:09 +0200	[thread overview]
Message-ID: <20220608005809.GA2794@LionPure> (raw)
In-Reply-To: <877d5sbmjt.fsf@gnu.org>

Hi,

tl;dr: I hope there will be a security team discussing
       whether/how this kind of privileged execution interval
       could be exploited, and how to prevent such.
       
       E.g., could something that stealthily gets put in a finalizer
       for some innocent object be waiting to notice that it is running
       privileged, and do the next step in a dirty-work chain that
       sets things up nicely for e.g. remote DDOS control?

       Or is the independent FLOSS development process
       and its quality control being sabotaged stealthily
       with injections of "innocent mistakes" and
       (ultimately) trivial time-wasting bugs, making FLOSS projects
       look "not ready for production use" ?
       (despite the increasing evidence to the contrary)
              
       BTW, I think a minimalist/MES/RISCV team would be interesting!

       Regards,
       Bengt Richter
       
On +2022-06-07 16:00:54 +0200, Ludovic Courtès wrote:gets\
> Hi!
> 
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> 
> > Ludovic Courtès <ludo@gnu.org> writes:
> 
> [...]
> 
> >>> I reviewed how that works, and it'd be easy; I just didn't see the
> >>> incentive yet (there's no composition needed for the service, and it'd
> >>> make the definition slightly less readable).  If you tell me
> >>> mark+forkexec-constructor/container is going the way of the Dodo though,
> >>> that's a good enough incentive :-).
> >
> > That turns out to be bit problematic; dbus-daemon must not run in its
> > own user namespace (CLONE_NEWUSER) as it wants to validate user/group
> > IDs.  That's probably the reason it was working with
> > 'make-forkexec-constructor/container', as this was dropping the user and
> > net namespaces, contrary to least-authority, which uses them all.
> >
> > The problem then seems to be that since we need CAP_SYS_ADMIN when
> > dropping the user namespace, as CLONE_NEWUSER is what gives us
> > superpowers.  Per 'man user_namespaces':
> >
> >   The child process created by clone(2) with the CLONE_NEWUSER flag starts
> >   out with a complete set of capabilities in the new user namespace.
> >
> > Which means that if we combine something like (untested):
> >
> > (make-forkexec-constructor
> >   (least-authority
> >     (list (file-append coreutils "/bin/true"))
> >     (mappings (delq 'user %namespaces))
> >   #:user  "nobody"
> >   #:group "nobody"))
> >
> > the make-forkexec-constructor will switch to the non-privileged user
> > before the clone call is made, and it will fail with EPERM.
> >
> > When using 'make-forkexec-constructor/container', the clone(2) call
> > happens before switching user, thus as 'root' in Shepherd, which
> > explains why it works.
> 
> Damnit, that’s right.  For example the result of:
> 
>    (lower-object (least-authority-wrapper (file-append coreutils "/bin/uname")
>                                           #:namespaces (delq 'user %namespaces)))
> 
> won’t run as an unprivileged user:
> 
> --8<---------------cut here---------------start------------->8---
> $ $(guix build /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv)
> substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
> substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
> substitute: updating substitutes from 'https://guix.bordeaux.inria.fr'... 100.0%
> The following derivations will be built:
>   /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv
>   /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.drv
> building /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.drv...
> successfully built /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.drv
> building /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv...
> successfully built /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv
> Backtrace:
>            5 (primitive-load "/gnu/store/ifsh87aifh2k8pqzhkjxncq3vskpwx3l-pola-wrapper")
> In ice-9/eval.scm:
>    191:35  4 (_ #f)
> In gnu/build/linux-container.scm:
>     300:8  3 (call-with-temporary-directory #<procedure 7f9aa3a674b0 at gnu/build/linux-container.scm:396:3 (root)>)
>    397:16  2 (_ "/tmp/guix-directory.K9gBNH")
>     239:7  1 (run-container "/tmp/guix-directory.K9gBNH" (#<<file-system> device: "/gnu/store/jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5…> …) …)
> In guix/build/syscalls.scm:
>   1099:12  0 (_ 1845624849)
> 
> guix/build/syscalls.scm:1099:12: In procedure clone: 1845624849: Operation not permitted
> --8<---------------cut here---------------end--------------->8---
> 
> > I'm not sure how it could be fixed; it seems the user changing business
> > would need to be handled by the least-authority-wrapper code?  And the
> > make-forkexec-constructor would probably need to detect that command is
> > a pola wrapper and then avoid changing the user/group itself to not
> > interfere.
> 
> I think we would add #:user and #:group to ‘least-authority-wrapper’ and
> have it call setuid/setgid.  ‘make-forkexec-constructor’ doesn’t need to
> be modified, but the user simply won’t pass #:user and #:group to it.
> 
> Thanks,
> Ludo’.
> 
> 
> 




  reply	other threads:[~2022-06-08  0:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-08  9:51 bug#54786: Installation tests are failing Mathieu Othacehe
2022-04-08 15:10 ` Mathieu Othacehe
2022-04-28  7:22   ` Mathieu Othacehe
2022-04-28 19:19     ` Ludovic Courtès
2022-04-29 19:50       ` Ludovic Courtès
2022-04-30 13:02         ` Mathieu Othacehe
2022-05-01 13:26           ` Ludovic Courtès
2022-05-25  3:43             ` Maxim Cournoyer
2022-05-28 21:29               ` Ludovic Courtès
2022-05-31 16:44                 ` bug#54786: [PATCH] services: jami: Modernize to adjust to Shepherd 0.9+ changes Maxim Cournoyer
2022-06-01  9:54                   ` bug#54786: Installation tests are failing Ludovic Courtès
2022-06-01 13:10                     ` Maxim Cournoyer
2022-06-02 13:13                       ` Ludovic Courtès
2022-06-02 17:24                         ` Maxim Cournoyer
2022-06-02 20:43                           ` Ludovic Courtès
2022-06-04  4:37                             ` Maxim Cournoyer
2022-06-07 14:00                               ` Ludovic Courtès
2022-06-08  0:58                                 ` bokr [this message]
2022-06-11  4:18                                 ` Maxim Cournoyer
2022-08-09 14:20                                   ` Mathieu Othacehe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220608005809.GA2794@LionPure \
    --to=bokr@bokr.com \
    --cc=54786@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=maxim.cournoyer@gmail.com \
    --cc=othacehe@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).