On Monday 05 June 2006 19:48, Robert Schiele wrote:
On Mon, Jun 05, 2006 at 07:20:54PM +0200, Bernd Paysan wrote:
Sounds like ~10 lines of code, i.e. clone with the CLONE_NEWNS flag, and if you get a pid, wait for exit of all childs and exit(), otherwise mount() to "/lib" with the MS_BIND flag, set the user id, and exec() to the remainings of arg[] (or /bin/bash if empty).
In principle yes. Actually this solution does provide some additional risks you should consider: A system that allows a normal user to execute applications with the SUID bit set together with user selected library replacements can trivially be compromised by this user.
The library replacement is not user selected - it would be hard-coded into the wrapper. And it will be r/o for normal users.
Thus unless you don't care about security at all you have to make sure that either only libraries can be installed that are approved by the sysadmin or that the user does no longer have the option to execute SUID or SGID binaries within the new namespace.
Exactly. -- Bernd Paysan "If you want it done right, you have to do it yourself" http://www.jwdt.com/~paysan/