Bug 819338 - Review Request: linux-user-chroot - Helper program for calling chroot(2) as non-root
Review Request: linux-user-chroot - Helper program for calling chroot(2) as n...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Yanko Kaneti
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 819951
  Show dependency treegraph
 
Reported: 2012-05-06 13:48 EDT by Colin Walters
Modified: 2015-01-20 08:34 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-20 13:58:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
yaneti: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Colin Walters 2012-05-06 13:48:39 EDT
Spec URL: http://fedorapeople.org/~walters/linux-user-chroot.spec
SRPM URL: http://fedorapeople.org/~walters/linux-user-chroot-2012.1-1.fc16.src.rpm
Description: This is a helper program for calling chroot(2) as a non-root user.  It
should NOT be installed by default; only install this on systems for
which local, authenticated denial of service attacks are not a serious
concern.
Comment 1 Colin Walters 2012-05-07 16:39:02 EDT
Some concerns were raised about adding a new setuid binary.  Basically, my thoughts on this are:

* Conceptually this program doesn't allow a user to purely gain priviliges; it's a trade of ability to execute other setuid binaries for the ability to call chroot() and make bind mounts.  So it's not like e.g. NetworkManager where the user formerly couldn't control the network, now they can.  By the nature of the tool, it's only designed to *limit* privileges for the child it runs.  For example, it allows callers to have no networking stack.

* I believe this binary is will not be a part of a privilege escalation chain that's not possible to reach with any other setuid binary installed by default (/bin/mount, /usr/sbin/seunshare) for example.

* We *could* offer a configure option to use PolicyKit but it'd be really invasive...I'd do it if this was blocked getting into Fedora, but the precedents of seunshare and mount exist.
Comment 2 Oron Peled 2012-05-18 13:39:38 EDT
Does this wrapper add new functionality wrt to existing schroot(1) ?
   http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

schroot offers non-root users the ability to use chroots that
were pre-configured for them by root -- thereby bypassing
most of the security concerns.
Comment 3 Colin Walters 2012-05-22 09:20:03 EDT
(In reply to comment #2)
> Does this wrapper add new functionality wrt to existing schroot(1) ?
>    http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

Yes,

> schroot offers non-root users the ability to use chroots that
> were pre-configured for them by root -- thereby bypassing
> most of the security concerns.

The operative phrase here is "were pre-configured for them by root".  linux-user-chroot requires no such thing.
Comment 5 Yanko Kaneti 2012-08-16 12:09:41 EDT
imho the naming is unwieldy . "uchroot" ?
Also no changelog. Which I hope we get to at some point, but I don't think koji or the guidelines are there yet.
Comment 6 Colin Walters 2012-08-16 13:01:36 EDT
(In reply to comment #5)
> imho the naming is unwieldy . "uchroot" ?

Eh...I'm not going to rename it now honestly.  The real endgame hopefully is that the kernel allows this by default, and this tool can go away.  i.e. one could use the "chroot" and "unshare" binaries that already exist.

However, the issue with doing that is resource controls.  It's a *really* hard problem.

In the meantime, I rely heavily on this tool for doing software builds as non-root on systems where I don't have untrusted users that might want to DoS the machine.

> Also no changelog. Which I hope we get to at some point, but I don't think
> koji or the guidelines are there yet.

I'll add one when the package is approved.
Comment 7 Yanko Kaneti 2012-08-17 05:09:22 EDT
There might be an argument that setuid programs need special FESCO/security consideration before being accepted in the collection, but I think it should apply only to packages that are installed by default in some of the official spins.


I am approving the package given that:
- You'll fix the License: tag  which currently says LGPL2v+, the source is GPLv2+
- You'll add a changelog
- You'll fix the Source: line   - s/2012.1/2012.2/
- You'll consider removing the rm -rf $RPM_BUILD_ROOT parts which are not needed in fedora or el6

Otherwise the source matches, the package builds in mock and seems to work, doesn't conflict with anything existing.
Comment 8 Colin Walters 2012-08-20 11:35:15 EDT
New Package SCM Request
=======================
Package Name: linux-user-chroot
Short Description: Helper program for calling chroot(2) as non-root
Owners: walters
Branches: f17 f18 el6
InitialCC:
Comment 9 Gwyn Ciesla 2012-08-20 12:54:53 EDT
Git done (by process-git-requests).
Comment 10 Colin Walters 2012-08-20 13:58:46 EDT
Thanks!
Comment 11 Colin Walters 2015-01-19 21:34:15 EST
Package Change Request
======================
Package Name: linux-user-chroot
New Branches: el7
Owners: walters
InitialCC:
Comment 12 Gwyn Ciesla 2015-01-20 08:34:12 EST
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.