Open Szunti opened 3 years ago
Please do. Thanks for your input.
Thank you for making psd. I'm glad if I can contribute a little. I will make a pr probably tomorrow.
With the 5.11 kernel unprivileged overlayfs mounting is allowed. @graysky2 do you plan to update the code accordingly?
Worth looking into... but now getting into versioned deps....
@szaszaiz - Do you have an example mounting as such? This doc seems to indicate that a simple mount option is all that's needed.
the "-o userxattr" mount option forces overlayfs to use the "user.overlay." xattr namespace instead of "trusted.overlay.". This is useful for unprivileged mounting of overlayfs.
Perhaps I am missing something.
% mkdir /scratch/.openwrt-upper /scratch/.openwrt-work /scratch/union
% mount -o userxattr -t overlay openwrt-build -olowerdir=/incoming/openwrt,upperdir=/scratch/.openwrt-upper,workdir=/scratch/.openwrt-work /scratch/union
mount: /scratch/union: must be superuser to use mount.
Sorry, I disappeared.
This works for me:
# Run bash in new user namespace and mount namespace to get capabilities
% unshare --user --mount -r bash
(inside userns)% mount -t overlay ovi -oupperdir=upper,lowerdir=lower,workdir=workdir union
From mount_namespace(7) manual page:
When creating a less privileged mount namespace, shared mounts are reduced to slave mounts. (Shared and slave mounts are discussed below.) This ensures that mappings performed in less privileged mount namespaces will not propagate to more privileged mount namespaces.
So IIUC we still can't create mounts without privileges that are seen by the browsers.
Is it acceptable to have a wrapper that runs the browser in the user namespace?
Sorry I disappeared. Do you have a proof-of-concept wrapper hacked up?
I have something in the user-namespace branch of my fork. git clone git@github.com:Szunti/profile-sync-daemon.git user-namespace
The readme file should explain how to use it. I hope it's not hard to understand.
But I don't think there is a good way to wrap all ways of running a browser. So this may not be a viable solution.
@Szunti for your config.sh can't the user use ~/.local/share/applications/firefox.desktop to override the global firefox.desktop? According to archwiki "User entries take precedence over system entries." https://wiki.archlinux.org/title/Desktop_entries
I'm not sure, but when you set firefox as your default browser a desktop file is created. That probably references the binary by absolute path too. I think trying to override firefox is fragile.
Wouldn't it be easier to add the overlay to fstab for example?
The root problem here is that psd-overlay-helper
is just a wrapper around mount
(and one that requires root privileges at that). Using a user namespace doesn't really seem to solve the problem to me, it just shifts the arbitrary commands from root to user level where havoc can still be wreaked.
One solution (this is just brainstorming, not necessarily a practical idea) is to have profile-sync-daemon run as root at start, mount the overlay, then drop privileges. Then not have psd-overlay-helper
be able to be called at all.
Alternatively, instead of allowing it to accept arbitrary input, do some input sanitization.
Or, have the whole thing run as a dedicated (or dynamic user). Though I don't know how this interacts with overlayfs.
Or add some privilege flags to the systemd script (like ProtectHome
, an example not suggesting it) that will restrict the capabilities of the executables.
Acting on arbitrary arguments makes it easy to bypass file privileges. Fixes for #235 were not really effective.
There could be more, this is just a couple I found.
I suggest that psd-overlay-helper takes only the lower directory as argument and maybe a name and creates the upper, workdir and merged dir in safe places on its own. Also at unmounting it checks that it actually unmounts one of the directories that it mounted and gets the workdir from the mounting options. I could try to work on this if you agree.