search

ES-Nix / podman-rootless

Example of using nix + flakes to have podman rootless working
MIT License
14 stars 0 forks source link

The newuidmap and newgidmap binaries #9

Open PedroRegisPOAR opened 2 years ago

PedroRegisPOAR commented 2 years ago

Abstract

These are some notes that by time to time I came back and add some more stuff about.

After the build, Nix sets the last-modified timestamp on all files in the build result to 1 (00:00:01 1/1/1970 UTC), sets the group to the default group, and sets the mode of the file to 0444 or 0555 (i.e., read-only, with execute permission enabled if the file was originally executable). Note that possible setuid and setgid bits are cleared. Setuid and setgid programs are not currently supported by Nix. This is because the Nix archives used in deployment have no concept of ownership information, and because it makes the build result dependent on the user performing the build. From: https://nixos.org/manual/nix/unstable/expressions/derivations.html

126 lines of tests of nix code it self to not allow to be possible to create files in /nix/store with "weird permissions"! The first line of the file:

Verify that Linux builds cannot create setuid or setgid binaries. https://github.com/NixOS/nix/blob/26c7602c390f8c511f326785b570918b2f468892/tests/setuid.nix

Note that rootless podman requires newuidmap which can't come from the shadow Nix package on non-NixOS From: https://nixos.wiki/wiki/Podman Well, I did it, it is hack, but it works, not in NixOS :[

TODO: may be use an "wider" path (path = [ "/run/wrappers:/home/someuser/.local/bin" ];) ?

DebConf 14: QA with Linus Torvalds, start=1176, end=1228

This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64). From: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/local/nested_namespace_idmap_limit_priv_esc

TODO: https://t.me/nixosbrasil/70805

TODO:

Personally I prefer Apptainer (Formerly Singularity) instead of Podman. The latest release of Apptainer (1.1.0) is fully rootless with no special suid binary. A bonus is that it also doesn't require the setup of subuid/subgid configurations. You just need unprivileged user namespaces enabled in your kernel or sysctl settings. https://www.reddit.com/r/NixOS/comments/xwmx6o/comment/irb5bpa/?utm_source=reddit&utm_medium=web2x&context=3

sed -i 's/-m 4755/-m 755/g' builddir/Makefile Refs.:

Details

users.extraUsers..subUidRanges

https://t.me/nixosbrasil/34929

https://github.com/NixOS/nixpkgs/blob/6ea00bb91225c751e79b83aaed5ee2dbdde0f24d/nixos/modules/programs/noisetorch.nix#L20-L25

https://github.com/NixOS/nixpkgs/blob/8ee160c2d452efc6acff0d4f286970f6f93e35ba/nixos/modules/programs/shadow.nix#L115-L116

Base link https://zenhack.net/2016/01/24/reflections-on-nixos.html,

https://github.com/nix-community/nix-user-chroot#add-a-setuid-version

https://unix.stackexchange.com/a/389903

https://github.com/NixOS/nixpkgs/blob/93ca5ab64f78ce778c0bcecf9458263f0f6289b6/pkgs/applications/virtualization/podman/default.nix#L95

This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed. https://github.com/NixOS/nixpkgs/blob/77c929982cf56e15652e89ad125ee5af5b391324/nixos/modules/security/wrappers/default.nix#L63-L70

TODO: looks like the problem is how compiled shadow is?! https://github.com/genuinetools/img/issues/144#issuecomment-818129822

More details

There was a bug in shadows's source code see https://github.com/tailhook/vagga/issues/12#issuecomment-259389901, it was fixed in https://github.com/shadow-maint/shadow/pull/43. We need tests everywhere!

TODO: is it all from "the same" bug?

The WSL: https://unix.stackexchange.com/a/388562

getfattr -d -m -

From: https://unix.stackexchange.com/a/388562

By Red Hat Linux permissions: SUID, SGID, and sticky bit

Source of the newgidmap and newuidmap in the official github repository.

In podman source code: newgidmap and newuidmap

Source of security/wrappers/ that is used in NixOS.

You could refactor nixos/modules/security/setuid-wrappers.nix to get that support outside of NixOS, but the wrappers would have to be stored outside /nix/store From: https://github.com/NixOS/nixpkgs/issues/6034#issuecomment-71921941

  postPatch = ''
    V={newgidmap,newgidmap} \
      substituteInPlace ./internal/unshare/unshare.c \
        --replace "/usr/bin/$V" "${wrapperDir}/$V"
  '';

From: https://github.com/NixOS/nixpkgs/blob/a90e1bacf7a938c4247c6bdaef188215ac73c83f/pkgs/development/tools/img/default.nix#L22-L26 and see it in nsjail source code https://github.com/NixOS/nixpkgs/pull/139917#discussion_r718898089, (pinned source version).

The commit that introduced this binaries:

    security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp"
      "newuidmap" "newgidmap"  # new in shadow 4.2.x
      ];

From: https://github.com/NixOS/nixpkgs/pull/3100/files#diff-e9c7b883f114501b3e493bb2690f3ea51606a925cb91c50da0d7db0ab7992568R103-R105

In the nixpkkgs#shadow derivation:

      newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
      newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";

From: https://github.com/NixOS/nixpkgs/blob/0699530f08290f34c532beedd66046825d9756fa/nixos/modules/programs/shadow.nix#L122-L123

In the nixpkkgs#shadow derivation:

#define idtool(type) ((type) == GID ? "/usr/bin/newgidmap" : "/usr/bin/newuidmap")

From: https://github.com/genuinetools/img/blob/16d3b6cad7e72f4cd9c8dad0e159902eeee00898/internal/unshare/unshare.c#L134

About compile X11 with --enable-suid-wrapper: https://discourse.nixos.org/t/xorg-on-non-nixos/13455/4

Declaratively make /nix/store permissions 1771?

Some programs need SUID wrappers, can be configured further or are started in user sessions.

programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};

TODO:

Minimal relevant bits

podman \
run \
--env="SHELL=/bin/bash" \
--interactive=true \
--tty=true \
--rm=true \
--user=podman \
--workdir=/home/podman \
quay.io/podman/stable \
bash \
-c \
'
echo

getcap /usr/bin/new{u,g}idmap

echo

stat -c %a /usr/bin/new{u,g}idmap
stat -c %A /usr/bin/new{u,g}idmap

echo

cat /etc/sub{u,g}id
'

TODO: export as an .tar.gz and import back to test if the capabilities are preserved.

podman \
run \
--interactive=true \
--tty=true \
--rm=true \
--user=podman \
quay.io/podman/stable \
sh \
-c \
'
echo

getcap /usr/bin/new{u,g}idmap

echo

stat /usr/bin/new{u,g}idmap

echo 

cat /etc/sub{u,g}id
'