Bug 1061751

Summary: nsenter set uid for user namespaces
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED DEFERRED QA Contact: Jan Ščotka <jscotka>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: jscotka, ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: util-linux-2.23.2-13.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-12 08:37:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1073851    
Bug Blocks: 717785    

Description Steve Grubb 2014-02-05 14:45:41 UTC 
Description of problem:
The nsenter program changes uid and then gid around lines 331. This should be done in the reverse order because changing uid drops capabilities and won't allow the gid to be changed. This is not a security problem because the call to setgid checks the return code and exits.

Also, between changing gid and uid, supplemental groups should be dropped or changed. Perhaps the best thing is to call initgroups with the new uid so that whatever groups the new uid has can be picked up. If this is not desirable, then just call setgroups(0, NULL) to unconditionally drop the supplemental groups. Not doing this can allow leakage of group root as a supplemental group.

Version-Release number of selected component (if applicable):
util-linux-2.23.2-12.el7.x86_64
Comment 1 Karel Zak 2014-02-06 13:19:50 UTC 
Ah, stupid bug. 

Fixed by upstream commit 99d7e174119e8717efae0f0fec5f7dec14492fb3 (for now setgroups() seems good enough.) RHEL7/Fedora packages will be updated ASAP.
Comment 2 Karel Zak 2014-02-20 09:44:20 UTC 
Well, nsenter(1) on RHEL7 does not have --setuid and --setgid options yet, it seems that the comment #0 is mostly about Fedora :-)

Anyway, rhel7 version also supports user namespaces, so I'm going to backport setuid and setgid stuff too. It seems more robust to have all the functionally in the util to avoid unexpected UIDs and GIDs leaks.
Comment 4 Karel Zak 2014-03-12 08:37:04 UTC 
We're going to remove user namespaces (see bug #1073851) at all from unshare and nsenter, so this bug has no sense any more. Closing.