* Eric W. Biederman ([email protected]) wrote:
> As I currently understand the problem everything goes along nicely
> nothing really special needed until you start asking the question
> how do I implement a root user with uid 0 who does not own the
> machine. When you start asking that question is when the creepy
> crawlies come out.
Hehe. uid 0 _and_ full capabilities. So reducing capabilities is one
relatively easy way to handle that. And, if you have a security module
loaded it's going to use security labels, which can be richer than both
uid and capabilites combined.
> On most virtual filesystems the default owner of files is uid 0.
> Additional privilege checks are not applied. Writing to those
> files could potentially have global effect.
Yes, many (albeit far from all) have a capable() check as well.
> It is completely unclear how permissions checks should work
> between two processes in different uid namespaces. Especially
> there are cases where you do want interactions.
Are there? Why put them in different containers then? I'd think
network sockets is the extent of the interaction you'd want. Sharing
filesystem does leave room for named pipes and unix domain sockets (also
in the abstract namespace). And considering the side channel in unix
domain sockets, they become a potential hole. So for solid isolation,
I'd expect disallowing access to those when the object owner is in a
different security context from context which is trying to attach.
thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
