[buildd-tools-devel] Bug#526788: Bug#526788: schroot allows a user to do a local DoS

Roger Leigh rleigh at codelibre.net
Sun May 3 15:39:23 UTC 2009


On Sun, May 03, 2009 at 05:12:01PM +0200, Aurelien Jarno wrote:
> Package: schroot
> Version: 1.2.2-1
> Severity: important
> Tags: security patch
> 
> In script mode, schroot mounts a new tmpfs (with a default size of half
> the RAM) to act as /dev/shm inside the chroot and for each created
> chroot (a user can create more than one), as shown below. Those
> directories are world writable, meaning that a user can fill them, and
> with them RAM and swap. As soon as the whole RAM and swap have been
> filled, the kernel starts OOM killing every task, leading to a crash
> of the machine.

This is also the case for /lib/init/rw.  There should really be a strict
size limit placed on it (even on the host).  #390184 BTW.

> The correct solution here is to bind mount /dev/shm, as it is already
> done for /home, /tmp and /dev/pts. The patch below does that:

We share /home, /tmp for user convenience.  We share /dev/pts because
there's no choice (we could mount it twice but it's pointless).
For /dev/shm we are sharing the POSIX SHM and SEM data between host
and chroot.  My question here is, do we want to share that data?

I'm perfectly happy with the patch, I just want to question whether
sharing shared memory is needed or desirable.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.





More information about the Buildd-tools-devel mailing list