Re: xdg-app without setuid

From: Kenton Varda <kenton sandstorm io>
To: Alexander Larsson <alexl redhat com>
Cc: gnome-os-list gnome org
Subject: Re: xdg-app without setuid
Date: Fri, 29 May 2015 10:55:50 -0700

On Fri, May 29, 2015 at 1:48 AM, Alexander Larsson <alexl redhat com> wrote:

On tor, 2015-05-28 at 22:31 +0200, Alexander Larsson wrote:

I just pushed some changes to make xdg-app use user namespaces, which
means it does not require any elevated permissions like setuid or
setcap.

I need to do some more testing on it to make sure nothing broke, but it
seems to work for me.

However, there is an issue with some 4.0.x kernels, where it causes a
panic. For fedora this is fixed in the 4.0.4-302 kernel (and it works
with previous 3.19 kernels). If you want to test this, make sure you
have a new enough or old enough kernel.


I added back the old setuid implementation if you pass --disable-userns
to configure, since some old distros don't have user namespaces.
However, my recommendation is for everyone that can to use the user
namespace implementation, it is less risky as there are no increased
privileges needed.


FWIW, Arch has steadfastly refused to enable user namespaces even in
new kernels:

https://bugs.archlinux.org/task/36969

And on Debian-derived distros you need to flip a sysctl first.

Not arguing against using user namespaces, but just FYI.

BTW, are you using seccomp to make sure the sandboxed app cannot
itself create nested user namespaces? Since they are the source of so
many privilege escalation bugs it seems like a good idea. Here's where
we do it in Sandstorm.io:

https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/supervisor.c++#L1055-L1061

-Kenton

References:
- xdg-app without setuid
  - From: Alexander Larsson
- Re: xdg-app without setuid
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]