hosted reproducible package building with multiple developers?
Daniel P. Berrange
berrange at redhat.com
Fri Dec 10 18:12:18 UTC 2010
On Fri, Dec 10, 2010 at 01:01:56PM -0500, James Ralston wrote:
> On 2010-12-10 at 14:02+00 Daniel P Berrange <berrange at redhat.com> wrote:
>
> > I'm not familiar with what attacks you can do on mocks' chroot setup
> > offhand
>
> <http://fedoraproject.org/wiki/Projects/Mock> describes an easy one:
>
> $ /usr/bin/mock --init -r fedora-10-i386
> $ /usr/bin/mock --shell -r fedora-10-i386
> mock-chroot> chmod u+s bin/bash
> $ /var/lib/mock/fedora-10-i386/root/bin/bash -p
> # cat /etc/shadow
>
> > but perhaps it is possible to avoid them by also leveraging some of
> > the new kernel container features which allow you to build stronger
> > virtual root, without going to the extreme of a full VM.
>
> There are two challenges here.
>
> First, you must be able to prevent the root user from breaking out of
> the chroot jail.
>
> But second, you must also prevent unprivileged users outside of the
> chroot jail from being able to interact with things inside the chroot
> jail in a manner that they can use to escalate their privileges.
>
> Setting up a setuid bash shell within the chroot jail and then
> invoking it via a normal user outside of the jail is the obvious
> example, but there are undoubtedly other avenues of attack that must
> be defended.
Oh fun, I didn't notice the permissions in /var/lib/mock/$NAME/root
were so open as to allow access from non-root users outside the
chroot. That could be locked down though, so that stuff inside the
chroot was only visible while on the inside.
Dnaiel
More information about the devel
mailing list