Bug 819338

Summary: Review Request: linux-user-chroot - Helper program for calling chroot(2) as non-root
Product: [Fedora] Fedora Reporter: Colin Walters <walters>
Component: Package ReviewAssignee: Yanko Kaneti <yaneti>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: michel, notting, oron, package-review, yaneti
Target Milestone: ---Flags: yaneti: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 17:58:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 819951    

Description Colin Walters 2012-05-06 17:48:39 UTC 
Spec URL: http://fedorapeople.org/~walters/linux-user-chroot.spec
SRPM URL: http://fedorapeople.org/~walters/linux-user-chroot-2012.1-1.fc16.src.rpm
Description: This is a helper program for calling chroot(2) as a non-root user.  It
should NOT be installed by default; only install this on systems for
which local, authenticated denial of service attacks are not a serious
concern.
Comment 1 Colin Walters 2012-05-07 20:39:02 UTC 
Some concerns were raised about adding a new setuid binary.  Basically, my thoughts on this are:

* Conceptually this program doesn't allow a user to purely gain priviliges; it's a trade of ability to execute other setuid binaries for the ability to call chroot() and make bind mounts.  So it's not like e.g. NetworkManager where the user formerly couldn't control the network, now they can.  By the nature of the tool, it's only designed to *limit* privileges for the child it runs.  For example, it allows callers to have no networking stack.

* I believe this binary is will not be a part of a privilege escalation chain that's not possible to reach with any other setuid binary installed by default (/bin/mount, /usr/sbin/seunshare) for example.

* We *could* offer a configure option to use PolicyKit but it'd be really invasive...I'd do it if this was blocked getting into Fedora, but the precedents of seunshare and mount exist.
Comment 2 Oron Peled 2012-05-18 17:39:38 UTC 
Does this wrapper add new functionality wrt to existing schroot(1) ?
   http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

schroot offers non-root users the ability to use chroots that
were pre-configured for them by root -- thereby bypassing
most of the security concerns.
Comment 3 Colin Walters 2012-05-22 13:20:03 UTC 
(In reply to comment #2)
> Does this wrapper add new functionality wrt to existing schroot(1) ?
>    http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

Yes,

> schroot offers non-root users the ability to use chroots that
> were pre-configured for them by root -- thereby bypassing
> most of the security concerns.

The operative phrase here is "were pre-configured for them by root".  linux-user-chroot requires no such thing.
Comment 4 Colin Walters 2012-08-13 14:40:15 UTC 
New spec URL: http://fedorapeople.org/~walters/ostree/linux-user-chroot.spec
New SRPM URL: http://fedorapeople.org/~walters/ostree/linux-user-chroot-2012.2-1.fc17.src.rpm
Comment 5 Yanko Kaneti 2012-08-16 16:09:41 UTC 
imho the naming is unwieldy . "uchroot" ?
Also no changelog. Which I hope we get to at some point, but I don't think koji or the guidelines are there yet.
Comment 6 Colin Walters 2012-08-16 17:01:36 UTC 
(In reply to comment #5)
> imho the naming is unwieldy . "uchroot" ?

Eh...I'm not going to rename it now honestly.  The real endgame hopefully is that the kernel allows this by default, and this tool can go away.  i.e. one could use the "chroot" and "unshare" binaries that already exist.

However, the issue with doing that is resource controls.  It's a *really* hard problem.

In the meantime, I rely heavily on this tool for doing software builds as non-root on systems where I don't have untrusted users that might want to DoS the machine.

> Also no changelog. Which I hope we get to at some point, but I don't think
> koji or the guidelines are there yet.

I'll add one when the package is approved.
Comment 7 Yanko Kaneti 2012-08-17 09:09:22 UTC 
There might be an argument that setuid programs need special FESCO/security consideration before being accepted in the collection, but I think it should apply only to packages that are installed by default in some of the official spins.


I am approving the package given that:
- You'll fix the License: tag  which currently says LGPL2v+, the source is GPLv2+
- You'll add a changelog
- You'll fix the Source: line   - s/2012.1/2012.2/
- You'll consider removing the rm -rf $RPM_BUILD_ROOT parts which are not needed in fedora or el6

Otherwise the source matches, the package builds in mock and seems to work, doesn't conflict with anything existing.
Comment 8 Colin Walters 2012-08-20 15:35:15 UTC 
New Package SCM Request
=======================
Package Name: linux-user-chroot
Short Description: Helper program for calling chroot(2) as non-root
Owners: walters
Branches: f17 f18 el6
InitialCC:
Comment 9 Gwyn Ciesla 2012-08-20 16:54:53 UTC 
Git done (by process-git-requests).
Comment 10 Colin Walters 2012-08-20 17:58:46 UTC 
Thanks!
Comment 11 Colin Walters 2015-01-20 02:34:15 UTC 
Package Change Request
======================
Package Name: linux-user-chroot
New Branches: el7
Owners: walters
InitialCC:
Comment 12 Gwyn Ciesla 2015-01-20 13:34:12 UTC 
Git done (by process-git-requests).