Closed vn971 closed 5 years ago
Basic train of thought is:
chown
system callchown
is only available to rootI.e. giving unlimited privileges to build script (chroot doesn't help to limit capabilities of the root user).
The only suid vagga binary that I might see helpful is using is one that uses user namespaces but requires suid bit to overcome kernel.unprivileged_userns_clone=0
. But I think there are better controls on who can use user namespaces in recent kernels.
Even if there are kernel vulnerabilities from time to time, it's still much safer than running arbitrary bash script or makefile as is the current practice. And hopefully this attack vector will be even smaller in future.
@tailhook interesting. So the chown
syscall makes things harder.
I don't see any elegant solution, let it stay as is then. Thanks for the explanation.
If I understand it correctly, there is still some controversy on how secure user namespaces are, even on a modern kernel. One alternative approach is to provide a minimalistic SUID binary that is:
Would it be possible for
vagga
to support such mode of operation? One example tool that goes with this approach is bubblewrap https://github.com/projectatomic/bubblewrap Does it provide all the necessary functionality that vagga needs? If it does, it could be useful for users already having bubblewrap installed, or preferring such an approach in general.Issue https://github.com/tailhook/vagga/issues/54 raises a similar question as well, but I think it was not meant as separation of SUID and the rest of the program, thus seriously lacking in security. The alternative I'm trying to raise now is more comparable to current vagga in terms of security.
Thoughts?