tailhook / vagga

Vagga is a containerization tool without daemons
http://vagga.readthedocs.org
MIT License
1.86k stars 96 forks source link

SUID support as alternative to user namespaces? #509

Closed vn971 closed 5 years ago

vn971 commented 5 years ago

If I understand it correctly, there is still some controversy on how secure user namespaces are, even on a modern kernel. One alternative approach is to provide a minimalistic SUID binary that is:

Would it be possible for vagga to support such mode of operation? One example tool that goes with this approach is bubblewrap https://github.com/projectatomic/bubblewrap Does it provide all the necessary functionality that vagga needs? If it does, it could be useful for users already having bubblewrap installed, or preferring such an approach in general.

Issue https://github.com/tailhook/vagga/issues/54 raises a similar question as well, but I think it was not meant as separation of SUID and the rest of the program, thus seriously lacking in security. The alternative I'm trying to raise now is more comparable to current vagga in terms of security.

Thoughts?

tailhook commented 5 years ago

Basic train of thought is:

  1. To build container vagga needs apt-get in container
  2. Apt-get needs chown system call
  3. chown is only available to root
  4. So SUID vagga needs to give real root user privileges to apt-get running in a container

I.e. giving unlimited privileges to build script (chroot doesn't help to limit capabilities of the root user).

The only suid vagga binary that I might see helpful is using is one that uses user namespaces but requires suid bit to overcome kernel.unprivileged_userns_clone=0. But I think there are better controls on who can use user namespaces in recent kernels.

Even if there are kernel vulnerabilities from time to time, it's still much safer than running arbitrary bash script or makefile as is the current practice. And hopefully this attack vector will be even smaller in future.

vn971 commented 5 years ago

@tailhook interesting. So the chown syscall makes things harder.

I don't see any elegant solution, let it stay as is then. Thanks for the explanation.