vitaly ̈_vi ̈ shukela - dive

Vitaly ¨ Vi¨Shukela

Initialrationale

Original dive

Updatedrationale

Usageexample:restrict suidbit

Usageexample: sudo

Usageexample:unshare

Feature list

Conclusion

Vitaly ¨ Vi¨ Shukela

July 21, 2015

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Presentation Outline

1 Initial rationale

2 Original dive

3 Updated rationale

4 Usage example: restrict suidbit

5 Usage example: sudo

6 Usage example: unshare

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.

The supposed way of doing this was configuring the networkstarting SSH server and using it:

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.

The supposed way of doing this was configuring the networkstarting SSH server and using it:

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

LXC and sshd

Inside container

Terminal

lxc-execute Terminal2

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

And I wanted this:

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Direct

Inside container

Terminal

lxc-execute Terminal2

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

I wanted to do it:

Without using virtual network;

Without heavyweight additional programs;

Preserving all FDs, not just stdin/stdout/stderr;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

So I implemented a program that listens a socket and allowsremotely starting programs:

No TCP, only UNIX socket;

Using sendfd/recvfd;

No authentication, but preseving user (SO_PEERCRED);

Preserving signals;

Passing command line and environment variables as array;

Preserving controlling terminal (1/2);

Preserving process parents (failed);

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

Preserving signals;

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initial dive

So, initial dive rationale is

Poor man’s SSHd for starting things insidelxc-execute.

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

I finished playing with LXC at that moment, but used ”dive”project as playground.

More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

History

I finished playing with LXC at that moment, but used ”dive”project as playground.

More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Updated rationale

The new rationale is:

Be a tool for starting processes in various ways,like socat is the tool for using sockets.

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

PR_SET_NO_NEW_PRIVS

I don’t like suidbit feature.

I want to start a program that should not be able to elevate it’sprivileges by filesystem means.

dived -J -S -T -P -X -- ./some_program arguments

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

PR_SET_NO_NEW_PRIVS

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

PR_SET_NO_NEW_PRIVS

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

suid-less sudo

I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).

But also want this part to elevate privileges in a controlled way.

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

suid-less sudo

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

suid-less sudo

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

access to one root program for a specific user

Let’s give someuser access to run some program only as rootwithout using setuid.

dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only

dive ./poormansudo --some --arguments

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

give anybody chroot, but revoke setuid magic

I like to use chroot for development and don’t want to changeto root every time.

dived /var/run/chrooter -d -C 777 -X -r

DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

namespace handling

Let’s become poor man’s LXC.

Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash

Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc

↪→ /12345/ns/mnt -- /bin/bash

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

namespace handling

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

namespace handling

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Feature list

Starting programs directly ...... or initiated by socket

Preservation of argv and envp arraysPreservation of controlling terminal (limited)Preservation of uid/gid (initializing other groups)Signal preservationWaiting for termination of a remotely started processinetd modeAbstract sockets

Capability, securebits and PR_SET_NO_NEW_PRIVSmanagementNamespace management”authenticate” featureResource (rlimit) managementCreation of pidfileChrootingSaving of pidfile

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Current omissions

Sane command line argument handling

Full-coverage tests

Cgroups management

Distribution package inclusions

Refactoring

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

1 Initial rationale

2 Original dive

3 Updated rationale

7 Feature list

8 Conclusion

Initialrationale

Original dive

Updatedrationale

Usageexample: sudo

Feature list

Conclusion

Dive is a project that helps to start programs in a light-weight,but versatile way.

https://github.com/vi/dive

The end.

vitaly ̈_vi ̈ shukela - dive

Documents

suidbit usage example

sudo usage example

lxc containers

container sshd terminal

terminal2 ssh bash2

terminal2 bash

virtual network

ssh server