Mailinglist Archive: opensuse-amd64 (100 mails)
| < Previous | Next > |
Re: [suse-amd64] SuSE 10.1: Non-tls version of glibc?
- From: Robert Schiele <rschiele@xxxxxxxxxxxxxxx>
- Date: Mon, 5 Jun 2006 19:48:41 +0200
- Message-id: <20060605174841.GG343@xxxxxxxxxxxxxxxxxx>
On Mon, Jun 05, 2006 at 07:20:54PM +0200, Bernd Paysan wrote:
> On Friday 02 June 2006 23:39, Andi Kleen wrote:
> > A possible different way would be to create a new name space using
> > clone(CLONE_NEWNS) and overwrite all binaries/directories you want to
> > be different with mount --bind in the new name space.
> >
> > There isn't a program included to do this but it should be relatively
> > easy to write.
>
> Sounds like ~10 lines of code, i.e. clone with the CLONE_NEWNS flag, and
> if you get a pid, wait for exit of all childs and exit(), otherwise
> mount() to "/lib" with the MS_BIND flag, set the user id, and exec() to
> the remainings of arg[] (or /bin/bash if empty).
In principle yes. Actually this solution does provide some additional risks
you should consider: A system that allows a normal user to execute
applications with the SUID bit set together with user selected library
replacements can trivially be compromised by this user. Thus unless you don't
care about security at all you have to make sure that either only libraries
can be installed that are approved by the sysadmin or that the user does no
longer have the option to execute SUID or SGID binaries within the new
namespace.
Robert
--
Robert Schiele Tel.: +49-621-181-2214
Dipl.-Wirtsch.informatiker mailto:rschiele@xxxxxxxxxxxxxxx
"Quidquid latine dictum sit, altum sonatur."
> On Friday 02 June 2006 23:39, Andi Kleen wrote:
> > A possible different way would be to create a new name space using
> > clone(CLONE_NEWNS) and overwrite all binaries/directories you want to
> > be different with mount --bind in the new name space.
> >
> > There isn't a program included to do this but it should be relatively
> > easy to write.
>
> Sounds like ~10 lines of code, i.e. clone with the CLONE_NEWNS flag, and
> if you get a pid, wait for exit of all childs and exit(), otherwise
> mount() to "/lib" with the MS_BIND flag, set the user id, and exec() to
> the remainings of arg[] (or /bin/bash if empty).
In principle yes. Actually this solution does provide some additional risks
you should consider: A system that allows a normal user to execute
applications with the SUID bit set together with user selected library
replacements can trivially be compromised by this user. Thus unless you don't
care about security at all you have to make sure that either only libraries
can be installed that are approved by the sysadmin or that the user does no
longer have the option to execute SUID or SGID binaries within the new
namespace.
Robert
--
Robert Schiele Tel.: +49-621-181-2214
Dipl.-Wirtsch.informatiker mailto:rschiele@xxxxxxxxxxxxxxx
"Quidquid latine dictum sit, altum sonatur."
| < Previous | Next > |