[buildd-tools-devel] schroot unionfs security model
Roger Leigh
rleigh at codelibre.net
Mon Sep 28 08:28:58 UTC 2009
On Thu, Aug 13, 2009 at 09:06:42AM -0400, Tim Abbott wrote:
> Geoffrey Thomas mentioned to me the following interesting potential
> problem in schroot's security model in relation to union mounts:
>
> Suppose that you have a shared access server where you want users to be
> able to access a Debian chroot, and you further want to give them limited
> ability to change the filesystem inside their session chroot (e.g. imagine
> you have a secure setuid program that lets you install new libdevel
> packages for building software, and that's it), without changing the state
> for other users. You set up the chroot using the new unionfs chroot
> functionality, and make it so any user can create their own a new unionfs
> session chroot.
>
> However, any user who can begin a new such session can also enter other
> users' sessions and change files in the snapshot, and end other users'
> sessions as well. So our shared access server setup doesn't have the
> security properties that I think one would a priori expect it to have.
>
> The obvious fix is to store which user created a session in
> /var/lib/schroot/session and only give that user and root the ability to
> access their sessions. I haven't had time to think about whether that
> model causes any problems, or whether e.g. people who can enter the
> source chroot as root should also have access...
The current master branch in git now removes all but the user creating
the session from users and root-users, and all entries from groups and
root-groups so only the user and root may access the session. The user
is kept in users or root-users depending on if they were in root-users
or root-groups initially or not.
If you'd like to give this a try and let me know if it's what you were
looking for, I'd be very grateful.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
More information about the Buildd-tools-devel
mailing list