FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 12-10-2010, 05:12 PM
"Daniel P. Berrange"
 
Default hosted reproducible package building with multiple developers?

On Fri, Dec 10, 2010 at 01:01:56PM -0500, James Ralston wrote:
> On 2010-12-10 at 14:02+00 Daniel P Berrange <berrange@redhat.com> wrote:
>
> > I'm not familiar with what attacks you can do on mocks' chroot setup
> > offhand
>
> <http://fedoraproject.org/wiki/Projects/Mock> describes an easy one:
>
> $ /usr/bin/mock --init -r fedora-10-i386
> $ /usr/bin/mock --shell -r fedora-10-i386
> mock-chroot> chmod u+s bin/bash
> $ /var/lib/mock/fedora-10-i386/root/bin/bash -p
> # cat /etc/shadow
>
> > but perhaps it is possible to avoid them by also leveraging some of
> > the new kernel container features which allow you to build stronger
> > virtual root, without going to the extreme of a full VM.
>
> There are two challenges here.
>
> First, you must be able to prevent the root user from breaking out of
> the chroot jail.
>
> But second, you must also prevent unprivileged users outside of the
> chroot jail from being able to interact with things inside the chroot
> jail in a manner that they can use to escalate their privileges.
>
> Setting up a setuid bash shell within the chroot jail and then
> invoking it via a normal user outside of the jail is the obvious
> example, but there are undoubtedly other avenues of attack that must
> be defended.

Oh fun, I didn't notice the permissions in /var/lib/mock/$NAME/root
were so open as to allow access from non-root users outside the
chroot. That could be locked down though, so that stuff inside the
chroot was only visible while on the inside.

Dnaiel
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-10-2010, 05:35 PM
Jesse Keating
 
Default hosted reproducible package building with multiple developers?

On 12/10/2010 10:12 AM, Daniel P. Berrange wrote:
> Oh fun, I didn't notice the permissions in /var/lib/mock/$NAME/root
> were so open as to allow access from non-root users outside the
> chroot. That could be locked down though, so that stuff inside the
> chroot was only visible while on the inside.


Got patches?

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-10-2010, 05:50 PM
Thomas Moschny
 
Default hosted reproducible package building with multiple developers?

2010/12/10 Matt McCutchen <matt@mattmccutchen.net>:
> On Fri, 2010-12-10 at 15:06 +0000, Daniel P. Berrange wrote:
>> Adding CLONE_NEWPID would be worthwhile to stop the
>> mock process seeing any other PIDs on the machine.
>
> It's critical, or mock could ptrace some process running as root on the
> host and inject arbitrary code.

Wouldn't a properly set-up LXC container be a better solution here?
See http://lxc.sourceforge.net/ . LXC is already packaged for Fedora,
and also in RHEL6 iiuc.

--
Thomas Moschny <thomas.moschny@gmail.com>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-11-2010, 01:42 AM
Kevin Kofler
 
Default hosted reproducible package building with multiple developers?

Till Maas wrote:
> I guess giving someone a shell account in a VM is usually not less safe
> than giving someone shell access on the host of the VM, as long as the
> VM does not use kvm and does not run as root.

By "does not use kvm", you mean pure software emulation? Enjoy the factor 50
slowdown!

(Yes, I've tried this, it was the only way for me to build x86_64 packages
locally before I got the Core 2 Duo notebook, as I only had a 32-bit-only
Pentium 4 Northwood desktop and an ancient Pentium II laptop, which was of
course 32-bit-only as well. A package which normally takes 10 minutes to
build took 8 hours under QEMU software emulation.)

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 07:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org