Requiring all files in /usr to be world-readable?

Andrew Lutomirski luto at mit.edu
Tue Nov 4 17:11:56 UTC 2014 

On Tue, Nov 4, 2014 at 8:42 AM, Miloslav Trmač <mitr at redhat.com> wrote:
> Hello,
> ----- Original Message -----
>> On Mon, 03.11.14 09:13, Miloslav Trmač (mitr at redhat.com) wrote:
>> > Hello,
>> > ----- Original Message -----
>> > > On Fri, 31.10.14 10:04, Andrew Lutomirski (luto at mit.edu) wrote:
>> > >
>> > > > I filed an FPC ticket: https://fedorahosted.org/fpc/ticket/467
>> > > >
>> > > > Thoughts?
>> > >
>> > > I very much agree with this, but I'd really prefer if we'd list what
>> > > is allowed rather than just declare what is forbidden.
>> >
>> > What is the use case for such a blanket requirement?  fpc/467 lists
>> > the virt thing I so far disagree with, and other uses cases in there
>> > actually need much less than all of /usr.
>>
>> We are working on allowing stateless system boot up with /usr. For
>> that I really want the ability that any user can copy /usr to some
>> other place without having privileges, and then boot that
>> up.   Replicating a system shouldn't require privileges.
>
> Could you expand on the flow of thought from “stateless system“ to “distribution by replication” and (separately?) “administration/replication by any user”?  I don’t see how that follows.
>

I can only speak for my own perspective on this, which may not match
Lennart's at all:

A major part of the stateless system idea is that /usr should contain
all of the files needed to boot what is effectively a fresh install.
IOW, systemd should be able to boot a fully-functional system that
starts with an empty /etc and /var, OS code in /usr, and a handful of
kernel-provided mounts and symlinks filling out the root directory.

If /usr is world-readable, then an unprivileged user can use /usr to
boot a fully-functional Fedora system in a number of ways.  They can
pipe it into QEMU/KVM using virtfs (what virtme does, although it's
not currently targeting this usecase), they can bind-mount it into an
unprivileged container (I have no idea whether LXC can do this easily
right now, but it's straightforward.  I imagine that someone will add
support to nspawn to do exactly this at some point.  As of the last
time I looked at the nspawn code, it wasn't set up for this yet,
though.)  They can serve it over whatever protocol they like (NFS
using Ganesha, for example) to another physical machine and run it
there.  I'm sure that other people might think of other uses for this.

virtme will give you a fully function Fedora shell right now (no
systemd) in a couple of seconds.  You can try it:

$ sudo dnf install virtme qemu-system-x86 [or whatever the appropriate QEMU is]
$ virtme-run --installed-kernel

If you try to run any of the audit tools inside virtme, you can't,
because virtme can't read them from /usr.  If I wrote the small amount
of code needed, then you could run:

$ virtme-run --installed-kernel --stateless-usr=/usr --graphics

This is likely to have all kinds of problems as a result of the polkit
rules being unreadable, though.

See:

http://0pointer.net/blog/projects/stateless.html

--Andy

More information about the devel mailing list