Bug 819338 - Review Request: linux-user-chroot - Helper program for calling chroot(2) as non-root
Summary: Review Request: linux-user-chroot - Helper program for calling chroot(2) as n...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Yanko Kaneti
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 819951
TreeView+ depends on / blocked
 
Reported: 2012-05-06 17:48 UTC by Colin Walters
Modified: 2015-01-20 13:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-20 17:58:46 UTC
Type: ---
yaneti: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Colin Walters 2012-05-06 17:48:39 UTC
Spec URL: http://fedorapeople.org/~walters/linux-user-chroot.spec
SRPM URL: http://fedorapeople.org/~walters/linux-user-chroot-2012.1-1.fc16.src.rpm
Description: This is a helper program for calling chroot(2) as a non-root user.  It
should NOT be installed by default; only install this on systems for
which local, authenticated denial of service attacks are not a serious
concern.

Comment 1 Colin Walters 2012-05-07 20:39:02 UTC
Some concerns were raised about adding a new setuid binary.  Basically, my thoughts on this are:

* Conceptually this program doesn't allow a user to purely gain priviliges; it's a trade of ability to execute other setuid binaries for the ability to call chroot() and make bind mounts.  So it's not like e.g. NetworkManager where the user formerly couldn't control the network, now they can.  By the nature of the tool, it's only designed to *limit* privileges for the child it runs.  For example, it allows callers to have no networking stack.

* I believe this binary is will not be a part of a privilege escalation chain that's not possible to reach with any other setuid binary installed by default (/bin/mount, /usr/sbin/seunshare) for example.

* We *could* offer a configure option to use PolicyKit but it'd be really invasive...I'd do it if this was blocked getting into Fedora, but the precedents of seunshare and mount exist.

Comment 2 Oron Peled 2012-05-18 17:39:38 UTC
Does this wrapper add new functionality wrt to existing schroot(1) ?
   http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

schroot offers non-root users the ability to use chroots that
were pre-configured for them by root -- thereby bypassing
most of the security concerns.

Comment 3 Colin Walters 2012-05-22 13:20:03 UTC
(In reply to comment #2)
> Does this wrapper add new functionality wrt to existing schroot(1) ?
>    http://pkgs.fedoraproject.org/gitweb/?p=schroot.git

Yes,

> schroot offers non-root users the ability to use chroots that
> were pre-configured for them by root -- thereby bypassing
> most of the security concerns.

The operative phrase here is "were pre-configured for them by root".  linux-user-chroot requires no such thing.

Comment 5 Yanko Kaneti 2012-08-16 16:09:41 UTC
imho the naming is unwieldy . "uchroot" ?
Also no changelog. Which I hope we get to at some point, but I don't think koji or the guidelines are there yet.

Comment 6 Colin Walters 2012-08-16 17:01:36 UTC
(In reply to comment #5)
> imho the naming is unwieldy . "uchroot" ?

Eh...I'm not going to rename it now honestly.  The real endgame hopefully is that the kernel allows this by default, and this tool can go away.  i.e. one could use the "chroot" and "unshare" binaries that already exist.

However, the issue with doing that is resource controls.  It's a *really* hard problem.

In the meantime, I rely heavily on this tool for doing software builds as non-root on systems where I don't have untrusted users that might want to DoS the machine.

> Also no changelog. Which I hope we get to at some point, but I don't think
> koji or the guidelines are there yet.

I'll add one when the package is approved.

Comment 7 Yanko Kaneti 2012-08-17 09:09:22 UTC
There might be an argument that setuid programs need special FESCO/security consideration before being accepted in the collection, but I think it should apply only to packages that are installed by default in some of the official spins.


I am approving the package given that:
- You'll fix the License: tag  which currently says LGPL2v+, the source is GPLv2+
- You'll add a changelog
- You'll fix the Source: line   - s/2012.1/2012.2/
- You'll consider removing the rm -rf $RPM_BUILD_ROOT parts which are not needed in fedora or el6

Otherwise the source matches, the package builds in mock and seems to work, doesn't conflict with anything existing.

Comment 8 Colin Walters 2012-08-20 15:35:15 UTC
New Package SCM Request
=======================
Package Name: linux-user-chroot
Short Description: Helper program for calling chroot(2) as non-root
Owners: walters
Branches: f17 f18 el6
InitialCC:

Comment 9 Gwyn Ciesla 2012-08-20 16:54:53 UTC
Git done (by process-git-requests).

Comment 10 Colin Walters 2012-08-20 17:58:46 UTC
Thanks!

Comment 11 Colin Walters 2015-01-20 02:34:15 UTC
Package Change Request
======================
Package Name: linux-user-chroot
New Branches: el7
Owners: walters
InitialCC:

Comment 12 Gwyn Ciesla 2015-01-20 13:34:12 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.