Fix fifo usage with userns and not root users by crosbymichael · Pull Request #912 · opencontainers/runc

crosbymichael · 2016-06-14T02:18:14Z

Signed-off-by: Michael Crosby crosbymichael@gmail.com

cyphar · 2016-06-14T02:44:30Z

+	}
+	fifoName := filepath.Join(containerRoot, execFifoFilename)
+	oldMask := syscall.Umask(0000)
+	if err := syscall.Mkfifo(fifoName, 0666); err != nil {


Doesn't this mean that any user can start a container created by root? This doesn't make sense to me IMO -- what's the usecase? With the rootless container setup, my hope was that each user's containers could only be controlled by them (with root being a special case) -- this means that any user will be able to start any other users' containers. Why is this necessary? That's why I liked the signal setup, because it retained that access control.

Sure, at the moment the only access control is "starting a container if it's been set up already". But I can imagine cases where people might not want an unprivileged user to start a container before they've run all of their hooks.

My plan with the rootless container setup is for everything to be per-user, rather than a global free-for-all.

I'll change this to 0622 so that only root can read and unblock the container's process

Since we chowning the FIFO, surely we can just make it 0600? Why do other users need to be able to write to the FIFO?

Isn't the uid at that point basically 0,0 ?

Meaning that, in a userns context, the user at the time of writing to the fifo would be matched against "other".

No, because we chown the FIFO when creating the container (it's the next line after this). If we didn't chown it, then we wouldn't have any guarantee that the UID would be mapped (and thus nobody in the container could read from the socket).

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

crosbymichael · 2016-06-15T17:28:24Z

@LK4D4 @mrunalp can you please look at this PR. It fixes permissions errors with the fifo under userns and non root users in regular containers on some machines with umask issues

mrunalp · 2016-06-15T17:29:59Z

@crosbymichael Yeah, will review it shortly.

mrunalp · 2016-06-15T18:39:32Z

LGTM

LK4D4 · 2016-06-15T20:00:24Z

LGTM

cyphar · 2016-06-15T20:37:19Z

@crosbymichael I still had some open concerns about the permissions:

Since we chowning the FIFO, surely we can just make it 0600? Why do other users need to be able to write to the FIFO?

No [ we don't need to allow other users to write ], because we chown the FIFO when creating the container (it's the next line after this). If we didn't chown it, then we wouldn't have any guarantee that the UID would be mapped (and thus nobody in the container could read from the socket).

GordonTheTurtle added the status/0-triage label Jun 14, 2016

crosbymichael force-pushed the fifo-userns branch 2 times, most recently from 7461a1a to 01f1d93 Compare June 14, 2016 02:22

crosbymichael added the kind/bug label Jun 14, 2016

cyphar reviewed Jun 14, 2016
View reviewed changes

Fix fifo usage with userns

5ce88a9

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

crosbymichael force-pushed the fifo-userns branch from 01f1d93 to 5ce88a9 Compare June 14, 2016 03:20

LK4D4 merged commit cc29e3d into opencontainers:master Jun 15, 2016

crosbymichael deleted the fifo-userns branch June 15, 2016 20:01

crosbymichael restored the fifo-userns branch June 15, 2016 20:28

cyphar mentioned this pull request Jun 17, 2016

factory: fix FIFO permissions #920

Closed

crosbymichael deleted the fifo-userns branch July 25, 2016 20:15

cyphar added the rootless-containers label Mar 17, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix fifo usage with userns and not root users#912

Fix fifo usage with userns and not root users#912
LK4D4 merged 1 commit intoopencontainers:masterfrom
crosbymichael:fifo-userns

crosbymichael commented Jun 14, 2016

Uh oh!

cyphar Jun 14, 2016 •

edited

Loading

Uh oh!

crosbymichael Jun 14, 2016

Uh oh!

cyphar Jun 14, 2016 •

edited

Loading

Uh oh!

mlaventure Jun 14, 2016

Uh oh!

cyphar Jun 14, 2016

Uh oh!

crosbymichael commented Jun 15, 2016

Uh oh!

mrunalp commented Jun 15, 2016

Uh oh!

mrunalp commented Jun 15, 2016 •

edited by caniszczyk

Loading

Uh oh!

LK4D4 commented Jun 15, 2016 •

edited by caniszczyk

Loading

Uh oh!

cyphar commented Jun 15, 2016 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

crosbymichael commented Jun 14, 2016

Uh oh!

cyphar Jun 14, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

crosbymichael Jun 14, 2016

Choose a reason for hiding this comment

Uh oh!

cyphar Jun 14, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mlaventure Jun 14, 2016

Choose a reason for hiding this comment

Uh oh!

cyphar Jun 14, 2016

Choose a reason for hiding this comment

Uh oh!

crosbymichael commented Jun 15, 2016

Uh oh!

mrunalp commented Jun 15, 2016

Uh oh!

mrunalp commented Jun 15, 2016 • edited by caniszczyk Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LK4D4 commented Jun 15, 2016 • edited by caniszczyk Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cyphar commented Jun 15, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

cyphar Jun 14, 2016 •

edited

Loading

cyphar Jun 14, 2016 •

edited

Loading

mrunalp commented Jun 15, 2016 •

edited by caniszczyk

Loading

LK4D4 commented Jun 15, 2016 •

edited by caniszczyk

Loading

cyphar commented Jun 15, 2016 •

edited

Loading