-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uid/gidmapping #145
base: main
Are you sure you want to change the base?
uid/gidmapping #145
Conversation
…clude /usr/loca/bin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand... most of this. A few more questions. I think moving the mapper into this repo is important from a supply-chain security perspective.
@@ -159,6 +166,12 @@ autodetect_union_helper() { | |||
fi | |||
} | |||
|
|||
# notify the mapper that we're up | |||
echo "a" > "$SOCKET" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use different sentinels when sending to and receiving from the mapper---we should check that the sentinels are what we expect, too.
then | ||
error "need root for -u" 2 | ||
fi | ||
EUSER="$OPTARG" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to unconditionally clear EUSER
at startup, so that it can't be invoked as EUSER=foo try ...
. I suggest using a more specific name, like TRYUSER
.
. "$script_to_execute" | ||
if [ "$EUSER" ] | ||
then | ||
su - $EUSER -c "cd "$START_DIR" && sh $script_to_execute" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we confident that all of the other variables we care about are marked as export?
This should probably be exec su ...
, since we have no other work afterwards. In fact, we could probably do cd "$START_DIR" && exec su - ...
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a test to ensure that:
(a) normal (non-sudo
) use of try
doesn't let you read files you should not have
(b) sudo
within the normal try
container doesn't leak privileges
(c) we need to carefully articulate how we lose privileges after having run --map-root-user
# Change uid/gid mapping | ||
################################################################################ | ||
|
||
mapper() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a more informative name, like uid_gid_mapper()
?
mapper() { | ||
cat "$SOCKET" > /dev/null | ||
# Get the pid of the unshare process with current pid as parent | ||
pid=$(pgrep -P $$ -f unshare) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a new external dependency?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, we're adding libcap2-bin and procps/procps-ng. readme will be updated appropriately.
libcap2-bin for setup to do addcap to the gidmapper.
procps for pgrep to look for unshare thread id, was hoping for a non-external-dependency needed option, perhaps we can have this be built into the c gidmapper impl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's write the process id on the socket, save ourselves the trouble.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
notes from meeting
we need to understand the security implications before moving forward
mapper() { | ||
cat "$SOCKET" > /dev/null | ||
# Get the pid of the unshare process with current pid as parent | ||
pid=$(pgrep -P $$ -f unshare) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's write the process id on the socket, save ourselves the trouble.
gidmapper "$pid" 0 0 65535 0 0 65535 | ||
else | ||
# If not running as root, we can only mount the caller user | ||
gidmapper "$pid" 0 "$(id -u)" 1 0 0 65535 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
investigate gidmapper "$pid" 0 "$(id -u)" 1 0 "$(id -g)" 1
? why map all groups?
. "$script_to_execute" | ||
if [ "$EUSER" ] | ||
then | ||
su - $EUSER -c "cd "$START_DIR" && sh $script_to_execute" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a test to ensure that:
(a) normal (non-sudo
) use of try
doesn't let you read files you should not have
(b) sudo
within the normal try
container doesn't leak privileges
(c) we need to carefully articulate how we lose privileges after having run --map-root-user
One other test to run: can a valid |
test/toplevel-perms.sh permissions test change (blocked by keep toplevel dir modes and symlinks #138)[1][1] due to regular files not being tracked in try (tangent #150), we're also not setting the permissions correctly. e.g., if /test is owned by another user, this will not be reflected in try. This is likely outside the scope of this PR. However we can probably track this in another issue, #90 could also fix it.
Four tiers of uid/gid mapping
-u
set:id
result will look the same.closes #140
closes #143
closes #6