On Sun, May 03, 2009 at 06:03:12PM +0200, Aurelien Jarno wrote: > On Sun, May 03, 2009 at 04:39:23PM +0100, Roger Leigh wrote: > > On Sun, May 03, 2009 at 05:12:01PM +0200, Aurelien Jarno wrote: > > > Package: schroot > > > Version: 1.2.2-1 > > > Severity: important > > > Tags: security patch > > > > > > In script mode, schroot mounts a new tmpfs (with a default size of half > > > the RAM) to act as /dev/shm inside the chroot and for each created > > > chroot (a user can create more than one), as shown below. Those > > > directories are world writable, meaning that a user can fill them, and > > > with them RAM and swap. As soon as the whole RAM and swap have been > > > filled, the kernel starts OOM killing every task, leading to a crash > > > of the machine. > > > > This is also the case for /lib/init/rw. There should really be a strict > > size limit placed on it (even on the host). #390184 BTW. > > /lib/init/rw is not world writable, so a normal user can't do anything > here. > > > > The correct solution here is to bind mount /dev/shm, as it is already > > > done for /home, /tmp and /dev/pts. The patch below does that: > > > > We share /home, /tmp for user convenience. We share /dev/pts because > > there's no choice (we could mount it twice but it's pointless). > > For /dev/shm we are sharing the POSIX SHM and SEM data between host > > and chroot. My question here is, do we want to share that data? > > > > I'm perfectly happy with the patch, I just want to question whether > > sharing shared memory is needed or desirable. > > > > I am not sure it is something needed or desirable, however I don't think > it is something that hurts. chroot() is something that only isolates the > filesystem, and a lot of things are already shared between the host and > the chroot.
OK, I'll apply the patch as is. I need to merge some other bits first, but it should be done later on today with luck. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
