Entering a user namespace from a core_pattern helper
by Jakub Filak
I've been working on introducing user namespaces (i.e. containers) to ABRT
core_pattern helper. I've learned that I must not trust anybody, thus I must not
run any command from the crashing process' root directory. I've also learned it
is not safe to run 'rpm --root /proc/[pid]/root -qf /the/executable'.
However I want to teach ABRT to get rpm package data from the container. I
believe users will appreciate it.
So I got the idea to run 'rpm' from the crashing process' root directory without
I plan to run the following command from ABRT core_pattern helper:
-S $(id nobody -u)
-G $(id nobody -g)
The command enters the $PID's mount namespace, sets UID and GID to nobody (I use
the nobody user because I don't want to introduce another single purpose user -
maybe it is not a good idea) and runs rpm.
Are there any security problems with it?
Thank you for reading my email.
7 years, 1 month