Bug#780841: /usr/bin/unshare: util-linux: `unshare -r` is broken (though it used to work in 2014)

Fri, 20 Mar 2015 05:45:27 -0700 

Package: util-linux
Version: 2.25.2-5
Severity: important
File: /usr/bin/unshare
Tags: upstream patch

Dear Maintainer,

`unshare -r` for root and `unshare -Ur` for users used to work for me on
Jessie in 2014. Now they don't:

    # root@teco:/home/kirr# uname -a
    Linux teco 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt7-1 (2015-03-01) x86_64 
GNU/Linux
    root@teco:/home/kirr# whoami
    root
    # root@teco:/home/kirr# unshare -r
    unshare: write failed /proc/self/gid_map: Operation not permitted

    kirr@teco:~$ whoami
    kirr
    kirr@teco:~$ unshare -Ur
    unshare: write failed /proc/self/gid_map: Operation not permitted

because of the kernel upgrade with security fixes.

util-linux upstream has a patch to fix the problem, which I've prepared to be
applied on top of pkg-util-linux.git and include here.

Please apply (git am -s) and thanks beforehand,
Kirill

---- 8< ----
From: Kirill Smelkov <k...@nexedi.com>
Date: Fri, 20 Mar 2015 14:32:11 +0300
Subject: [PATCH] Cherry-pick `unshare -r` fix from upstream

Since linux 3.16.7-ckt4-1 Debian kernel started to include patches to
"disallow setgroups until a gid mapping has been established" and other
patches to "Prevent evasion of group negative permissions through a
userns" (CVE-2014-8989):

    
http://anonscm.debian.org/viewvc/kernel/dists/trunk/linux/debian/changelog?revision=22343&view=markup
    ( lines 327-332:

      - userns: Prevent evasion of group negative permissions through a userns
        (CVE-2014-8989):
        + Don't allow setgroups until a gid mapping has been setablished
        + Don't allow unprivileged creation of gid mappings
        + Add a knob to disable setgroups on a per user namespace basis
        + Allow setting gid_maps without privilege when setgroups is disabled )

That, however, resulted in that now `unshare -r` is broken:

    # root@teco:/home/kirr# uname -a
    Linux teco 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt7-1 (2015-03-01) x86_64 
GNU/Linux
    root@teco:/home/kirr# whoami
    root
    # root@teco:/home/kirr# unshare -r
    unshare: write failed /proc/self/gid_map: Operation not permitted

and `unshare -Ur` for user namespaces is broken too:

    kirr@teco:~$ whoami
    kirr
    kirr@teco:~$ unshare -Ur
    unshare: write failed /proc/self/gid_map: Operation not permitted

though it used to work in 2014 before 3.16.7-ckt4-1 kernel upgrade in
Jessie.

Upstream has fix for this:

    
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119

which is also mentioned in

    https://bugzilla.redhat.com/show_bug.cgi?id=1184294

After applying the patch both `unshare -r` for root, and `unshare -Ur`
for userns work for me again.
---
 debian/patches/series                              |  1 +
 ...-Fix-map-root-user-to-work-on-new-kernels.patch | 71 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 
debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch

diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
 Update-Russian-translation.patch
 Trivial-unfuzzy.patch
 libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git 
a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch 
b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 0000000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: "Eric W. Biederman" <ebied...@xmission.com>
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin: 
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges.  User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
+---
+ include/pathnames.h |  1 +
+ sys-utils/unshare.c | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -93,6 +93,7 @@
+ 
+ #define _PATH_PROC_UIDMAP     "/proc/self/uid_map"
+ #define _PATH_PROC_GIDMAP     "/proc/self/gid_map"
++#define _PATH_PROC_SETGROUPS  "/proc/self/setgroups"
+ 
+ #define _PATH_PROC_ATTR_CURRENT       "/proc/self/attr/current"
+ #define _PATH_PROC_ATTR_EXEC  "/proc/self/attr/exec"
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
++++ b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include "pathnames.h"
+ #include "all-io.h"
+ 
++static void disable_setgroups(void)
++{
++      const char *file = _PATH_PROC_SETGROUPS;
++      const char *deny = "deny";
++      int fd;
++
++      fd = open(file, O_WRONLY);
++      if (fd < 0) {
++              if (errno == ENOENT)
++                      return;
++               err(EXIT_FAILURE, _("cannot open %s"), file);
++      }
++
++      if (write_all(fd, deny, strlen(deny)))
++              err(EXIT_FAILURE, _("write failed %s"), file);
++      close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+       char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+       }
+ 
+       if (maproot) {
++              disable_setgroups();
+               map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+               map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+       }
-- 
2.3.3.395.g6452570
---- 8< ----



-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages util-linux depends on:
ii  initscripts    2.88dsf-58
ii  libblkid1      2.25.2-5
ii  libc6          2.19-15
ii  libmount1      2.25.2-5
ii  libncurses5    5.9+20140913-1+b1
ii  libpam0g       1.1.8-3.1
ii  libselinux1    2.3-2
ii  libslang2      2.3.0-2
ii  libsmartcols1  2.25.2-5
ii  libtinfo5      5.9+20140913-1+b1
ii  libuuid1       2.25.2-5
ii  lsb-base       4.1+Debian13+nmu1
ii  tzdata         2015a-1
ii  zlib1g         1:1.2.8.dfsg-2+b1

util-linux recommends no packages.

Versions of packages util-linux suggests:
ii  dosfstools          3.0.27-1
ii  kbd                 1.15.5-2
pn  util-linux-locales  <none>

-- debconf information:
  util-linux/noauto-with-nonzero-passnum:


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to