[systemd-devel] [PATCH] nspawn: spawn shell under specified --user

[Ludwig Nussel]

Lennart Poettering wrote:
> On Mon, 27.06.11 14:50, Michal Vyskocil (mvyskocil at suse.cz) wrote:
> 
> > On Mon, Jun 27, 2011 at 02:01:27PM +0200, Lennart Poettering wrote:
> > > On Fri, 24.06.11 14:39, Michal Vyskocil (mvyskocil at suse.cz) wrote:
> > > 
> > > > Add -u/--user option, which changes the effective and real user and
> > > > group id to the new value. The user must exists in the chroot, otherwise
> > > > it will fail. Both username and user id are accepted.
> > > 
> > > Sounds sensible, though I do wonder about the ultimate usefulness of
> > > this given that this requires user settings configured on the host
> > > systems in a way that makes sense in the container too. (i.e. the $HOME
> > > and UID/GID of the user must be in sync in host and in container). Or am
> > > I missing something?
> > 
> > Yes, that's the requirements - user must exists in chroot. But I don't
> > see any need why the uid/gid must be the same. All things are done after
> > chroot("."), so in the context of container.

Not necessarily. If there's a connection to nscd open you will keep
talking to the host.
http://lists.rpm.org/pipermail/rpm-maint/2011-May/003010.html

> Hmm, I wonder if this might turn out to be a problem, since the NSS
> modules form the container might not be compatible with the host glibc
> which we are using.
> 
> Hmm, given the rigorous compat logic glibc includes this might be safe,
> so let's merge it. If it breaks, then we can still revisit the issue.

It did indeed break at least once in the past. glibc 2.2/2.3 or
something like that.

Also keep in mind that you are loading shared libs from the chroot
into the process which is still running as root. So name based user
switching is not a security feature.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)