Red Hat Bugzilla – Bug 819338
Review Request: linux-user-chroot - Helper program for calling chroot(2) as non-root
Last modified: 2015-01-20 08:34:12 EST
Spec URL: http://fedorapeople.org/~walters/linux-user-chroot.spec
SRPM URL: http://fedorapeople.org/~walters/linux-user-chroot-2012.1-1.fc16.src.rpm
Description: This is a helper program for calling chroot(2) as a non-root user. It
should NOT be installed by default; only install this on systems for
which local, authenticated denial of service attacks are not a serious
Some concerns were raised about adding a new setuid binary. Basically, my thoughts on this are:
* Conceptually this program doesn't allow a user to purely gain priviliges; it's a trade of ability to execute other setuid binaries for the ability to call chroot() and make bind mounts. So it's not like e.g. NetworkManager where the user formerly couldn't control the network, now they can. By the nature of the tool, it's only designed to *limit* privileges for the child it runs. For example, it allows callers to have no networking stack.
* I believe this binary is will not be a part of a privilege escalation chain that's not possible to reach with any other setuid binary installed by default (/bin/mount, /usr/sbin/seunshare) for example.
* We *could* offer a configure option to use PolicyKit but it'd be really invasive...I'd do it if this was blocked getting into Fedora, but the precedents of seunshare and mount exist.
Does this wrapper add new functionality wrt to existing schroot(1) ?
schroot offers non-root users the ability to use chroots that
were pre-configured for them by root -- thereby bypassing
most of the security concerns.
(In reply to comment #2)
> Does this wrapper add new functionality wrt to existing schroot(1) ?
> schroot offers non-root users the ability to use chroots that
> were pre-configured for them by root -- thereby bypassing
> most of the security concerns.
The operative phrase here is "were pre-configured for them by root". linux-user-chroot requires no such thing.
New spec URL: http://fedorapeople.org/~walters/ostree/linux-user-chroot.spec
New SRPM URL: http://fedorapeople.org/~walters/ostree/linux-user-chroot-2012.2-1.fc17.src.rpm
imho the naming is unwieldy . "uchroot" ?
Also no changelog. Which I hope we get to at some point, but I don't think koji or the guidelines are there yet.
(In reply to comment #5)
> imho the naming is unwieldy . "uchroot" ?
Eh...I'm not going to rename it now honestly. The real endgame hopefully is that the kernel allows this by default, and this tool can go away. i.e. one could use the "chroot" and "unshare" binaries that already exist.
However, the issue with doing that is resource controls. It's a *really* hard problem.
In the meantime, I rely heavily on this tool for doing software builds as non-root on systems where I don't have untrusted users that might want to DoS the machine.
> Also no changelog. Which I hope we get to at some point, but I don't think
> koji or the guidelines are there yet.
I'll add one when the package is approved.
There might be an argument that setuid programs need special FESCO/security consideration before being accepted in the collection, but I think it should apply only to packages that are installed by default in some of the official spins.
I am approving the package given that:
- You'll fix the License: tag which currently says LGPL2v+, the source is GPLv2+
- You'll add a changelog
- You'll fix the Source: line - s/2012.1/2012.2/
- You'll consider removing the rm -rf $RPM_BUILD_ROOT parts which are not needed in fedora or el6
Otherwise the source matches, the package builds in mock and seems to work, doesn't conflict with anything existing.
New Package SCM Request
Package Name: linux-user-chroot
Short Description: Helper program for calling chroot(2) as non-root
Branches: f17 f18 el6
Git done (by process-git-requests).
Package Change Request
Package Name: linux-user-chroot
New Branches: el7