vitaly ̈_vi ̈ shukela - dive
TRANSCRIPT
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Dive
Vitaly ¨ Vi¨ Shukela
July 21, 2015
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.
The supposed way of doing this was configuring the networkstarting SSH server and using it:
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.
The supposed way of doing this was configuring the networkstarting SSH server and using it:
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
LXC and sshd
Inside container
sshd
Terminal
lxc-execute Terminal2
ssh
bash2
bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
And I wanted this:
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Direct
Inside container
Terminal
bash2
lxc-execute Terminal2
bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I wanted to do it:
Without using virtual network;
Without heavyweight additional programs;
Preserving all FDs, not just stdin/stdout/stderr;
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So, initial dive rationale is
Poor man’s SSHd for starting things insidelxc-execute.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I finished playing with LXC at that moment, but used ”dive”project as playground.
More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I finished playing with LXC at that moment, but used ”dive”project as playground.
More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Updated rationale
The new rationale is:
Be a tool for starting processes in various ways,like socat is the tool for using sockets.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Feature list
Starting programs directly ...... or initiated by socket
Preservation of argv and envp arraysPreservation of controlling terminal (limited)Preservation of uid/gid (initializing other groups)Signal preservationWaiting for termination of a remotely started processinetd modeAbstract sockets
Capability, securebits and PR_SET_NO_NEW_PRIVSmanagementNamespace management”authenticate” featureResource (rlimit) managementCreation of pidfileChrootingSaving of pidfile
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Current omissions
TODO:
Sane command line argument handling
Full-coverage tests
Cgroups management
Distribution package inclusions
Refactoring
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Dive is a project that helps to start programs in a light-weight,but versatile way.
https://github.com/vi/dive
The end.