Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mounts with "bind,nosuid" won't apply nosuid #91

Open
hiciu opened this issue Jun 19, 2016 · 2 comments
Open

mounts with "bind,nosuid" won't apply nosuid #91

hiciu opened this issue Jun 19, 2016 · 2 comments

Comments

@hiciu
Copy link

hiciu commented Jun 19, 2016

Hello,

Few times in uwsgi_it_api/uwsgi_it_api/templates/vassal.ini there is used hook similar to this:

; map /run
hook-as-root = mount:none /containers/{{container.uid}}/run /run bind,nosuid

According to man 8 mount the mount syscall can't handle additional options after "bind" - using bind it is nessecary to call mount second time, with "remount" and other options. (This is handled transparently by /usr/bin/mount).

I tested this under Debian Jessie, with kernel 3.16.7-ckt11-1+deb8u6. This configuration:

; mount bind /var/www
hook-as-root = mount:none /.old_root/containers/test1/www /var/www bind,nosuid,nodev,noexec

still allowed me to run executables with suid bit from /var/www.

This one:

; mount bind /var/www
hook-as-root = mount:none /.old_root/containers/test1/www /var/www bind,nosuid,nodev,noexec

did not.

I am not sure if this could be considered as a bug.
@unbit
Copy link
Owner

unbit commented Jun 23, 2016

Well if suid apps can be run in a container it is a security problem (expecially for users having their custom distros). I think your second config misses a line (the one where we remount the dir). Would you like to paste a working configuration ?

@hiciu
Copy link
Author

hiciu commented Jun 23, 2016
edited
Loading

I think your second config misses a line (the one where we remount the dir).

Yes, you are right, sorry! I meant to paste there snippet with remount.

Well if suid apps can be run in a container it is a security problem

I don't have full uwsgi.it installation so I cannot be 100% sure, but I don't think this is that severe. You still have to smuggle somehow binary with suid bit - you can't smuggle it in custom distro because only root directory is bind-mounted, and root directory is correctly remounted later with nosuid option.

In this configuration only 3 directories could hold suid binaries: /run, /tmp and /var/tmp.

In my opinion this is more of a documentation issue. Its just the way linux mount syscall works - if there is a bind option it will ignore any other options (not only "nosuid", but things like "ro" too). Maybe uwsgi should throw a warning / error if bind mount has additional options specified.

Anyway, I prepared something you could call minimal repro case: https://gist.github.com/hiciu/8739c2f0c94296395aa6e629438bf045

On my uwsgi "bind,nosuid" is not enough to prevent suid executables from being executed. Here is output with only "bind,nosuid":

[uWSGI] getting INI configuration from emperor.ini
*** Starting uWSGI 2.0.13.1 (64bit) on [Thu Jun 23 17:36:00 2016] ***
compiled with version: 6.1.1 20160602 on 15 June 2016 01:14:13
os: Linux-4.6.2-1-ARCH #1 SMP PREEMPT Wed Jun 8 08:40:59 CEST 2016
nodename: unknown
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /home/hiciu/scratchspace/2016-06/23/uwsgi
detected binary path: /usr/bin/uwsgi
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
your processes number limit is 63993
your memory page size is 4096 bytes
detected max file descriptor number: 4096
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
*** starting uWSGI Emperor ***
*** has_emperor mode detected (fd: 6) ***
*** RRDtool library available at 0xd3cc30 ***
your mercy for graceful operations on workers is 60 seconds
*** Operational MODE: no-workers ***
spawned uWSGI master process (pid: 74577)
[uWSGI] getting INI configuration from test.ini
*** Starting uWSGI 2.0.13.1 (64bit) on [Thu Jun 23 17:36:00 2016] ***
compiled with version: 6.1.1 20160602 on 15 June 2016 01:14:13
os: Linux-4.6.2-1-ARCH #1 SMP PREEMPT Wed Jun 8 08:40:59 CEST 2016
nodename: unknown
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /home/hiciu/scratchspace/2016-06/23/uwsgi/vassals
detected binary path: /usr/bin/uwsgi
running "callret:chdir /" (pre-jail)...
uWSGI running as root, you can use --uid/--gid/--chroot options
running "mount:none none / recursive,private" (post-jail)...
running "mount:none /var/lib/machines/stretch /tmp/ns bind,nosuid" (post-jail)...
re-fork()ing...
running "mount:proc none /proc" (as root)...
running "umount:/.old_root recursive,detach" (as root)...
setgid() to 100
setuid() to 1000
running "exec:/test" (as user)...
-rwsr-sr-x 1 root root 6792 Jun 23 15:35 /test
0
/dev/mapper/vgssd-rootfs on / type ext4 (rw,relatime,data=ordered)
none on /proc type proc (rw,relatime)
your processes number limit is 63993
your memory page size is 4096 bytes
detected max file descriptor number: 4096
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
The -s/--socket option is missing and stdin is not a socket.
Thu Jun 23 17:36:00 2016 - [emperor] curse the uwsgi instance test.ini (pid: 74580)
Thu Jun 23 17:36:00 2016 - [emperor] removed uwsgi instance test.ini

(as you can see /test was executed with root privileges)

Here is output with "bind,nosuid" and "remount,nosuid":

[uWSGI] getting INI configuration from emperor.ini
*** Starting uWSGI 2.0.13.1 (64bit) on [Thu Jun 23 17:39:42 2016] ***
compiled with version: 6.1.1 20160602 on 15 June 2016 01:14:13
os: Linux-4.6.2-1-ARCH #1 SMP PREEMPT Wed Jun 8 08:40:59 CEST 2016
nodename: unknown
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /home/hiciu/scratchspace/2016-06/23/uwsgi
detected binary path: /usr/bin/uwsgi
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
your processes number limit is 63993
your memory page size is 4096 bytes
detected max file descriptor number: 4096
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
*** starting uWSGI Emperor ***
*** RRDtool library available at 0x1a3ec30 ***
your mercy for graceful operations on workers is 60 seconds
*** Operational MODE: no-workers ***
spawned uWSGI master process (pid: 74893)
*** has_emperor mode detected (fd: 6) ***
[uWSGI] getting INI configuration from test.ini
*** Starting uWSGI 2.0.13.1 (64bit) on [Thu Jun 23 17:39:42 2016] ***
compiled with version: 6.1.1 20160602 on 15 June 2016 01:14:13
os: Linux-4.6.2-1-ARCH #1 SMP PREEMPT Wed Jun 8 08:40:59 CEST 2016
nodename: unknown
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /home/hiciu/scratchspace/2016-06/23/uwsgi/vassals
detected binary path: /usr/bin/uwsgi
running "callret:chdir /" (pre-jail)...
uWSGI running as root, you can use --uid/--gid/--chroot options
running "mount:none none / recursive,private" (post-jail)...
running "mount:none /var/lib/machines/stretch /tmp/ns bind,nosuid" (post-jail)...
re-fork()ing...
running "mount:proc none /proc" (as root)...
running "umount:/.old_root recursive,detach" (as root)...
running "mount:none none / remount,nosuid" (as root)...
setgid() to 100
setuid() to 1000
running "exec:/test" (as user)...
-rwsr-sr-x 1 root root 6792 Jun 23 15:35 /test
1000
/dev/mapper/vgssd-rootfs on / type ext4 (rw,nosuid,relatime,data=ordered)
none on /proc type proc (rw,relatime)
your processes number limit is 63993
your memory page size is 4096 bytes
detected max file descriptor number: 4096
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
The -s/--socket option is missing and stdin is not a socket.
Thu Jun 23 17:39:43 2016 - [emperor] curse the uwsgi instance test.ini (pid: 74896)
Thu Jun 23 17:39:43 2016 - [emperor] removed uwsgi instance test.ini

(nosuid worked, /test was executed as user)

diff, ignoring not important lines:

@@ -40,12 +40,13 @@
 re-fork()ing...
 running "mount:proc none /proc" (as root)...
 running "umount:/.old_root recursive,detach" (as root)...
+running "mount:none none / remount,nosuid" (as root)...
 setgid() to 100
 setuid() to 1000
 running "exec:/test" (as user)...
 -rwsr-sr-x 1 root root 6792 Jun 23 15:35 /test
-0
-/dev/mapper/vgssd-rootfs on / type ext4 (rw,relatime,data=ordered)
+1000
+/dev/mapper/vgssd-rootfs on / type ext4 (rw,nosuid,relatime,data=ordered)
 none on /proc type proc (rw,relatime)
 your processes number limit is 63993
 your memory page size is 4096 bytes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@unbit @hiciu