[systemd-devel] nspawn --private-users and setuid
Lennart Poettering
lennart at poettering.net
Wed Dec 23 11:56:37 PST 2015
On Fri, 11.12.15 11:36, Leroy Pubel (lepubel at gmail.com) wrote:
> Is it considered safe to setuid on a root-owned binary that launches
> systemd-nspawn with the argument "--private-users=1000:1"?
Well, that all depends on your code... Note that SUID binaries
generally have the problem that they inherit parts of the context of
the caller, including env vars for example, some of which one might
not want to pass on (i.e. the reason why secure_getenv() exists).
Long story short: if you clean up your execution environment well
enough so that the leakage is minimal you should be resonably safe.
Current nspawn understands quite a number of env vars, including
$UNIFIED_CGROUP_HIERARCHY or $SYSTEMD_NSPAWN_CONTAINER_SERVICE. You
need to make sure that those get dropped, so that unprivileged clients
don't get acess to them.
But to clarify this: the security clean-up work is something your tool
needs to do, it's not a job for nspawn.
>
> i.e.
>
> /* user-nspawn.c */
> #include <unistd.h>
> int main() {
> const char * binary = "/usr/bin/systemd-nspawn";
> execl(binary, binary, "--private-users=1000:1", (char *)NULL);
> }
>
> gcc -o user-nspawn user-nspawn.c
> su
> chown root:root user-nspawn
> chmod +s user-nspawn
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list