From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTP id 5E3CF3AA9923 for ; Mon, 18 Jan 2021 10:47:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5E3CF3AA9923 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-41-aSg69P6JMMOUWvXbPjxVdQ-1; Mon, 18 Jan 2021 05:47:42 -0500 X-MC-Unique: aSg69P6JMMOUWvXbPjxVdQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3FBA080A5C0 for ; Mon, 18 Jan 2021 10:47:41 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-112-110.ams2.redhat.com [10.36.112.110]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6825D5D9CD; Mon, 18 Jan 2021 10:47:40 +0000 (UTC) From: Florian Weimer To: DJ Delorie Cc: libc-alpha@sourceware.org Subject: Re: nsswitch: do not reload if "/" changes References: Date: Mon, 18 Jan 2021 11:47:36 +0100 In-Reply-To: (DJ Delorie's message of "Sun, 17 Jan 2021 20:13:07 -0500") Message-ID: <87o8hmr06v.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2021 10:47:45 -0000 * DJ Delorie: >> I have one remaining question: Should we load service modules after / >> has changed? Disabling reloading brings us back to the old behavior in >> terms of exposure to untrusted /, but maybe we can do even better and >> stop loading service modules altogether? Assuming that this change is >> compatible with init systems. > > This patch makes it "no worse than before" but I'm not sure we can make > it better than before, because we have no hints that we're entering a > container, and by the time we have, it's too late to load the right > module. The options become (1) don't load the module and definitely > fail, or (2) maybe load the module in the container and work (and, > depending on your app, open a security hole?) (which is the "old way"). > > We would either need a new API that says "about to enter container" (or > hack into the namespace syscalls) or at least dlopen all mentioned > modules when we parse nsswitch.conf Are you concerned with the case that there are no NSS calls before entering the container, so that we don't initialize anything at all? > + /* Before we reload, verify that "/" hasn't changed. We assume that > + errors here are very unlikely, but the chance that we're entering > + a container is also very unlikely, so we err on the side of both > + very unlikely things not happening at the same time. */ > + if (__stat64 ("/", &str) == 0) Hmm. Upon second thought, I think this need to be made fail-closed by disabling reload on stat failure. The two things aren't as unrelated as one might think (chroot + truning on some security filter doesn't seem to be uncommon). Now of course it's a bit unlikely that anything can be loaded later if / can't be read, but is there a harm in macking this explicity? Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill