From: Blaisorblade <bla...@ya...> - 2005-02-04 05:50:37
|
On Thursday 13 January 2005 19:28, Frank 'xraz' Fricke wrote: > Hi List! > I built UML from 2.6.10 sources with no additional uml-specific patches. > My Host is also 2.6.10 with skas. I discovered that when (my) uml is > running as root _every_ user-id inside the uml may chmod _every_ file on a > hostfs mount and therfore become root etc... I've verified that what you say is indeed true and if it happens on other releases. The current result, in fact, is that on both 2.6.9-bb4, 2.6.10 (I actually tested onto the -bs5, but there cannot be any difference), what you say does happen: paolo@zion:~ (0)$ chmod 4755 /bin/bash chmod: changing permissions of `/bin/bash': Operation not permitted paolo@zion:~ (0)$ chmod 4755 /mnt/host/bin/bash paolo@zion:~ (0)$ ll /mnt/host/bin/bash -rwsr-xr-x 1 root root 662724 2004-10-20 02:15 /mnt/host/bin/bash* > This also happens if the hostfs mount is not the root-fs. > Is the following behaviour desired? Surely not, I hope! However, remember that UML is often best run as unprivileged user and inside one chroot. > If not: what could cause it? Well, there is little that you can setup about this issue, apart the fact of running UML itself as root - I've longly had the idea to add a check to prevent UML from being run as root... (or at least give a very verbose warning about the potential problems). That said, this is one UML bug. > xraz@net3:~$ grep root /proc/mounts > rootfs / rootfs rw 0 0 > /dev/root / hostfs rw 0 0 > > xraz@net3:~$ id > uid=1000(xraz) gid=104(xraz) groups=104(xraz),9997(chefs) > > xraz@net3:~$ ls -la /bin/dash > -rwxr-xr-x 1 root root 83960 Aug 22 20:28 /bin/dash > > xraz@net3:~$ chmod 4755 /bin/dash > > xraz@net3:~$ ls -la /bin/dash > -rwsr-xr-x 1 root root 83960 Aug 22 20:28 /bin/dash > > xraz@net3:~$ /bin/dash -c id > uid=1000(xraz) gid=104(xraz) euid=0(root) groups=104(xraz),9997(chefs) > What is going wrong? > Because i suppose this is a local error and not an uml-bug i don't yet > include debuginfo about my uml & system here. Well, this was not known to me, and surely is not intended... However I don't think for now that such info is needed. That said, it has been longly-known that every user inside UML can create file as the user running UML, in hostfs, even if that is root - that is not considered to be a problem. I had tried to creat() a file with the S_ISUID (i.e. to make it suid) hoping that UML would have created a setuid file (as root since I ran UML as root), but the test failed because UML had an explicit check for such exploits, which disallowed this. -- Paolo Giarrusso, aka Blaisorblade Linux registered user n. 292729 http://www.user-mode-linux.org/~blaisorblade |