Re: chroot(2) and bind mounts as non-root
From: Serge E. Hallyn
Date: Mon Dec 12 2011 - 18:11:15 EST
Quoting Colin Walters (walters@xxxxxxxxxx):
> But it was pretty trivial to modify my tool to make a MS_NOSUID bind
> mount over /:
>
> mount (NULL, "/", "none", MS_PRIVATE | MS_REMOUNT | MS_NOSUID,
> NULL);
>
> That's hopefully enough to plug that hole (right?), albeit not in a
Heh, yeah I think that suffices :)
...
> Looks to me like the MS_NOSUID bind mount prevents acquisition of file
> capabilities too.
Yup.
> I experimented with dropping all capabilities from the capability
> bounding set, but the API seems a bit lame in that CAP_LAST_CAP is
> encoded in the kernel capability.h, but if an old binary is run on a new
> kernel, I might silently fail to drop a newly added capability. Right?
Look at the cap_get_bound.3 manpage, and look for CAP_IS_SUPPORTED.
If you start at CAP_LAST_CAP and keep going up/down depending on whether
it was support or not it shouldn't take too long to find the last
valid value. Not ideal, but should be reliable.
> Steve Grubb's "libcap-ng" appears to not handle this scenario at all;
> Steve, am I missing something?
>
> Anyways, in the big picture here I think this tool is now pretty safe to
> install suid root, since we rely on MS_NOSUID to close all privilege
I haven't taken a critical look at the mount code but other than that
it seems reasonable and useful to me! Thanks.
> escalation mechanisms today from plugging in a USB drive, which is
> effectively "user controls arbitrary filesystem layout".
>
> But getting in Eric's patch for disabling suid binaries from a process
> tree would be really nice. Alan, do you still object? Your main issue
> seemed to be that it should be in a LSM, but the suid issue does span
> existing LSMs. And as far as adding restrictions introduces new attack
> vectors, pretty much all of those are abusing suid binaries, precisely
> what we just want to axe off entirely.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/