[devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[@ 2019-12-13 11:42 UTC (permalink / raw)]

[devel] [PATCH hasher-priv v1 1/3] Make a daemon from the hasher-priv

[@ 2019-12-13 11:42 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Make a daemon from the hasher-priv

[@ 2020-09-17 13:10 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Make a daemon from the hasher-priv

[@ 2020-10-01 19:43 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Make a daemon from the hasher-priv

[@ 2020-10-01 21:24 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Make a daemon from the hasher-priv

[@ 2020-10-01 23:38 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] *literacy*

[@ 2020-09-17 13:10 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] caller.c

[@ 2020-09-17 13:11 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] caller.c

[@ 2020-09-17 13:55 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] caller_server.c, caller_task.c

[@ 2020-09-17 13:11 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] caller_server.c, caller_task.c

[@ 2020-10-01 19:47 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] config.c

[@ 2020-09-17 13:11 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] config.c

[@ 2020-09-18 10:42 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] hasher-privd.c

[@ 2020-09-17 13:12 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] logging.c

[@ 2020-09-17 13:12 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-17 13:12 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-17 15:09 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-18 10:48 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-18 10:54 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-18 11:33 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] Makefile

[@ 2020-09-18 12:24 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] server.conf

[@ 2020-09-17 13:12 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] server.conf

[@ 2020-09-18 10:50 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 1/3] server.conf

[@ 2020-09-18 10:57 UTC (permalink / raw)]

[devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2019-12-13 11:42 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-06-17 22:31 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-06-17 22:38 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-06-17 22:50 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-06-17 22:43 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-06-17 22:53 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-09-17 13:10 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-10-01 17:25 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 2/3] Add systemd and sysvinit service files

[@ 2020-10-01 17:50 UTC (permalink / raw)]

[devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2019-12-13 11:42 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-09-17 13:11 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-10-01 19:17 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-10-01 20:23 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-10-02 0:42 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-10-02 11:46 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support

[@ 2020-10-02 12:58 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[@ 2019-12-15 8:50 UTC (permalink / raw)]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Andrey Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1236 bytes --]

On Sun, 15 Dec 2019 11:50:13 +0300 Alexey Tourbin wrote:
> On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion@altlinux.ru> wrote:
> > The hasher-priv is a SUID utility. This is not good. Separation of the
> > server and client parts will allow us to remove SUID flag.
> 
> Removing the SUID flag shouldn't be an end in itself. You're still
> running a process with root privileges which serves user requests.
> It's the same, except that instead of the SUID flag, the process just
> starts as root.  So you are not improving privilege separation or
> something, you are only limiting the ability of the user to tamper
> with the SUID binary. And tampering with the binary should be
> pointless anyway (unless glibc is faulty and permits arbitrary code
> injection, etc.).

The code separation for the privileged and the unprivileged
processes allows to reduce the attack surface when implemented
properly. Furthermore it should be possible to replace the SUID by
the Linux capabilities in future — so the code/process separation
makes even more sense here as it will lead to a smaller number of
capabilities required.

I have not reviewed this code yet, but I like the idea.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

On Sun, Dec 15, 2019 at 11:50:13AM +0300, Alexey Tourbin wrote:
> On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion@altlinux.ru> wrote:
> > The hasher-priv is a SUID utility. This is not good. Separation of the
> > server and client parts will allow us to remove SUID flag.
> 
> Removing the SUID flag shouldn't be an end in itself. You're still
> running a process with root privileges which serves user requests.
> It's the same, except that instead of the SUID flag, the process just
> starts as root.  So you are not improving privilege separation or
> something, you are only limiting the ability of the user to tamper
> with the SUID binary. And tampering with the binary should be
> pointless anyway (unless glibc is faulty and permits arbitrary code
> injection, etc.).

While turning a suid root executable into a daemon doesn't automagically
make everything more secure, it's an important move in the right direction.

Firstly, the attack surface of a suid root executable is larger than
of the equivalent root daemon on the other side of a unix domain socket,
so this change narrows the attack surface.

Secondly, this change opens the way for more elaborate privilege separation.

Thirdly, it makes hasher available for PR_SET_NO_NEW_PRIVS'ed
processes (e.g. self-seccomp'ed) that cannot make use of suid executables.


-- 
ldv

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Tourbin]

On Mon, Dec 16, 2019 at 12:35 PM Dmitry V. Levin <ldv@altlinux.org> wrote:
> On Sun, Dec 15, 2019 at 11:50:13AM +0300, Alexey Tourbin wrote:
> > On Fri, Dec 13, 2019 at 2:42 PM Alex Gladkov <legion@altlinux.ru> wrote:
> > > The hasher-priv is a SUID utility. This is not good. Separation of the
> > > server and client parts will allow us to remove SUID flag.
> >
> > Removing the SUID flag shouldn't be an end in itself. You're still
> > running a process with root privileges which serves user requests.
> > It's the same, except that instead of the SUID flag, the process just
> > starts as root.  So you are not improving privilege separation or
> > something, you are only limiting the ability of the user to tamper
> > with the SUID binary. And tampering with the binary should be
> > pointless anyway (unless glibc is faulty and permits arbitrary code
> > injection, etc.).
>
> While turning a suid root executable into a daemon doesn't automagically
> make everything more secure, it's an important move in the right direction.

Not necessarily. Conversion into a daemon takes more code, which can
have its own faults. Instead of relying on the set-uid mechanism,
you're very likely to up end up with a more complex DIY construction.

> Firstly, the attack surface of a suid root executable is larger than
> of the equivalent root daemon on the other side of a unix domain socket,
> so this change narrows the attack surface.

You are casting doubt on the venerable set-uid mechanism. What if it's
faulty? What if the user can tamper with the binary and somehow inject
arbitrary code? Well, you can do nothing about it, and moreover it's
not your problem. (Likewise, if the kernel is faulty and permits
privilege escalation, you can do nothing about it, and the only way
round is to fix the kernel.) Your basic mechanisms must be secure, and
it's doable. The "attack surface" is just a highbrow way of saying
that the dynamic loader should be insensitive to LD_PRELOAD. :)

> Secondly, this change opens the way for more elaborate privilege separation.
>
> Thirdly, it makes hasher available for PR_SET_NO_NEW_PRIVS'ed
> processes (e.g. self-seccomp'ed) that cannot make use of suid executables.

These might be valid arguments. Still, I find it hard to believe it's
really about security. hasher-priv is minimalistic, and its use is
limited to those few machines that need it, some of them booted over
the network. There is no good reason to believe that we might face any
security risks.

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Gladkov]

On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> From: Alexey Gladkov <legion@altlinux.org>
> 
> The hasher-priv is a SUID utility. This is not good. Separation of the
> server and client parts will allow us to remove SUID flag.
> 
> The separation of server and client is not intended to give clients
> access over the network. This separation is only necessary to distinguish
> privileges. Only UNIX domain socket is used.
> 
> A separate session process is created for each connected user. Each such
> process ends after a certain period of inactivity.

Gently remind about patches.

> Alexey Gladkov (3):
>   Make a daemon from the hasher-priv
>   Add systemd and sysvinit service files
>   Add cgroup support
> 
>  hasher-priv/.gitignore            |   1 +
>  hasher-priv/DESIGN                | 281 +++++++++++++--------
>  hasher-priv/Makefile              |  34 ++-
>  hasher-priv/caller.c              |  81 +++---
>  hasher-priv/caller_server.c       | 373 ++++++++++++++++++++++++++++
>  hasher-priv/caller_task.c         | 217 +++++++++++++++++
>  hasher-priv/cgroup.c              | 119 +++++++++
>  hasher-priv/cmdline.c             |  27 +-
>  hasher-priv/communication.c       | 392 ++++++++++++++++++++++++++++++
>  hasher-priv/communication.h       |  77 ++++++
>  hasher-priv/config.c              | 148 ++++++++++-
>  hasher-priv/epoll.c               |  39 +++
>  hasher-priv/epoll.h               |  18 ++
>  hasher-priv/hasher-priv.c         |  78 ++++++
>  hasher-priv/hasher-privd.c        | 375 ++++++++++++++++++++++++++++
>  hasher-priv/hasher-privd.service  |  11 +
>  hasher-priv/hasher-privd.sysvinit |  86 +++++++
>  hasher-priv/io_log.c              |   2 +-
>  hasher-priv/io_x11.c              |   2 +-
>  hasher-priv/killuid.c             |   2 +-
>  hasher-priv/logging.c             |  64 +++++
>  hasher-priv/logging.h             |  55 +++++
>  hasher-priv/main.c                |  75 ------
>  hasher-priv/pass.c                | 117 ++++++++-
>  hasher-priv/pidfile.c             | 128 ++++++++++
>  hasher-priv/pidfile.h             |  44 ++++
>  hasher-priv/priv.h                |  35 ++-
>  hasher-priv/server.conf           |  22 ++
>  hasher-priv/sockets.c             | 183 ++++++++++++++
>  hasher-priv/sockets.h             |  32 +++
>  hasher-priv/x11.c                 |   1 +
>  31 files changed, 2872 insertions(+), 247 deletions(-)
>  create mode 100644 hasher-priv/caller_server.c
>  create mode 100644 hasher-priv/caller_task.c
>  create mode 100644 hasher-priv/cgroup.c
>  create mode 100644 hasher-priv/communication.c
>  create mode 100644 hasher-priv/communication.h
>  create mode 100644 hasher-priv/epoll.c
>  create mode 100644 hasher-priv/epoll.h
>  create mode 100644 hasher-priv/hasher-priv.c
>  create mode 100644 hasher-priv/hasher-privd.c
>  create mode 100644 hasher-priv/hasher-privd.service
>  create mode 100755 hasher-priv/hasher-privd.sysvinit
>  create mode 100644 hasher-priv/logging.c
>  create mode 100644 hasher-priv/logging.h
>  delete mode 100644 hasher-priv/main.c
>  create mode 100644 hasher-priv/pidfile.c
>  create mode 100644 hasher-priv/pidfile.h
>  create mode 100644 hasher-priv/server.conf
>  create mode 100644 hasher-priv/sockets.c
>  create mode 100644 hasher-priv/sockets.h
> 
> -- 
> 2.24.0

-- 
Rgrds, legion

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Gladkov]

On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> From: Alexey Gladkov <legion@altlinux.org>

ping

> The hasher-priv is a SUID utility. This is not good. Separation of the
> server and client parts will allow us to remove SUID flag.
> 
> The separation of server and client is not intended to give clients
> access over the network. This separation is only necessary to distinguish
> privileges. Only UNIX domain socket is used.
> 
> A separate session process is created for each connected user. Each such
> process ends after a certain period of inactivity.
> 
> Alexey Gladkov (3):
>   Make a daemon from the hasher-priv
>   Add systemd and sysvinit service files
>   Add cgroup support
> 
>  hasher-priv/.gitignore            |   1 +
>  hasher-priv/DESIGN                | 281 +++++++++++++--------
>  hasher-priv/Makefile              |  34 ++-
>  hasher-priv/caller.c              |  81 +++---
>  hasher-priv/caller_server.c       | 373 ++++++++++++++++++++++++++++
>  hasher-priv/caller_task.c         | 217 +++++++++++++++++
>  hasher-priv/cgroup.c              | 119 +++++++++
>  hasher-priv/cmdline.c             |  27 +-
>  hasher-priv/communication.c       | 392 ++++++++++++++++++++++++++++++
>  hasher-priv/communication.h       |  77 ++++++
>  hasher-priv/config.c              | 148 ++++++++++-
>  hasher-priv/epoll.c               |  39 +++
>  hasher-priv/epoll.h               |  18 ++
>  hasher-priv/hasher-priv.c         |  78 ++++++
>  hasher-priv/hasher-privd.c        | 375 ++++++++++++++++++++++++++++
>  hasher-priv/hasher-privd.service  |  11 +
>  hasher-priv/hasher-privd.sysvinit |  86 +++++++
>  hasher-priv/io_log.c              |   2 +-
>  hasher-priv/io_x11.c              |   2 +-
>  hasher-priv/killuid.c             |   2 +-
>  hasher-priv/logging.c             |  64 +++++
>  hasher-priv/logging.h             |  55 +++++
>  hasher-priv/main.c                |  75 ------
>  hasher-priv/pass.c                | 117 ++++++++-
>  hasher-priv/pidfile.c             | 128 ++++++++++
>  hasher-priv/pidfile.h             |  44 ++++
>  hasher-priv/priv.h                |  35 ++-
>  hasher-priv/server.conf           |  22 ++
>  hasher-priv/sockets.c             | 183 ++++++++++++++
>  hasher-priv/sockets.h             |  32 +++
>  hasher-priv/x11.c                 |   1 +
>  31 files changed, 2872 insertions(+), 247 deletions(-)
>  create mode 100644 hasher-priv/caller_server.c
>  create mode 100644 hasher-priv/caller_task.c
>  create mode 100644 hasher-priv/cgroup.c
>  create mode 100644 hasher-priv/communication.c
>  create mode 100644 hasher-priv/communication.h
>  create mode 100644 hasher-priv/epoll.c
>  create mode 100644 hasher-priv/epoll.h
>  create mode 100644 hasher-priv/hasher-priv.c
>  create mode 100644 hasher-priv/hasher-privd.c
>  create mode 100644 hasher-priv/hasher-privd.service
>  create mode 100755 hasher-priv/hasher-privd.sysvinit
>  create mode 100644 hasher-priv/logging.c
>  create mode 100644 hasher-priv/logging.h
>  delete mode 100644 hasher-priv/main.c
>  create mode 100644 hasher-priv/pidfile.c
>  create mode 100644 hasher-priv/pidfile.h
>  create mode 100644 hasher-priv/server.conf
>  create mode 100644 hasher-priv/sockets.c
>  create mode 100644 hasher-priv/sockets.h
> 
> -- 
> 2.24.0
> 
> _______________________________________________
> Devel mailing list
> Devel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel

-- 
Rgrds, legion

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Arseny Maslennikov]

[-- Attachment #1: Type: text/plain, Size: 4527 bytes --]

On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> From: Alexey Gladkov <legion@altlinux.org>
> 
> The hasher-priv is a SUID utility. This is not good. Separation of the
> server and client parts will allow us to remove SUID flag.
> 
> The separation of server and client is not intended to give clients
> access over the network. This separation is only necessary to distinguish
> privileges. Only UNIX domain socket is used.
> 
> A separate session process is created for each connected user. Each such
> process ends after a certain period of inactivity.

Thank you for trying this idea out; despite the trolling attempts, this
effort is long welcome.

There are some issues with the patchset, which I intend to cover in
subsequent emails. I have published[1] some fix-up commits on top of
these patches in an attempt to ensure that, barring the issues with a
known fix, this works; however, some bugs are definitely still unsolved
by now, so I decided to discuss the more apparent points first.

[1] http://git.altlinux.org/people/arseny/packages/hasher-priv.git?a=summary

There's an issue when hasher-privd tries to fulfill a chrootuid{1,2}
request: the (eventually) unprivileged task executor process
successfully invokes waitpid() or the likes on a child process,
select()s on I/O descriptors, but gets CHLD later — and it looks like
the inherited signal handler causes it to wait again.
I've not yet found a decent reproducer — the following command:
`hsh-shell $workdir'
reproduces the issue reliably for me, but hsh-mkchroot, hsh-rmchroot,
hsh-install are all OK. The root cause nevertheless is not yet
established. It looks like this has to be patched somewhere in
chrootuid(), but I might be wrong on this one.

> 
> Alexey Gladkov (3):
>   Make a daemon from the hasher-priv
>   Add systemd and sysvinit service files
>   Add cgroup support
> 
>  hasher-priv/.gitignore            |   1 +
>  hasher-priv/DESIGN                | 281 +++++++++++++--------
>  hasher-priv/Makefile              |  34 ++-
>  hasher-priv/caller.c              |  81 +++---
>  hasher-priv/caller_server.c       | 373 ++++++++++++++++++++++++++++
>  hasher-priv/caller_task.c         | 217 +++++++++++++++++
>  hasher-priv/cgroup.c              | 119 +++++++++
>  hasher-priv/cmdline.c             |  27 +-
>  hasher-priv/communication.c       | 392 ++++++++++++++++++++++++++++++
>  hasher-priv/communication.h       |  77 ++++++
>  hasher-priv/config.c              | 148 ++++++++++-
>  hasher-priv/epoll.c               |  39 +++
>  hasher-priv/epoll.h               |  18 ++
>  hasher-priv/hasher-priv.c         |  78 ++++++
>  hasher-priv/hasher-privd.c        | 375 ++++++++++++++++++++++++++++
>  hasher-priv/hasher-privd.service  |  11 +
>  hasher-priv/hasher-privd.sysvinit |  86 +++++++
>  hasher-priv/io_log.c              |   2 +-
>  hasher-priv/io_x11.c              |   2 +-
>  hasher-priv/killuid.c             |   2 +-
>  hasher-priv/logging.c             |  64 +++++
>  hasher-priv/logging.h             |  55 +++++
>  hasher-priv/main.c                |  75 ------
>  hasher-priv/pass.c                | 117 ++++++++-
>  hasher-priv/pidfile.c             | 128 ++++++++++
>  hasher-priv/pidfile.h             |  44 ++++
>  hasher-priv/priv.h                |  35 ++-
>  hasher-priv/server.conf           |  22 ++
>  hasher-priv/sockets.c             | 183 ++++++++++++++
>  hasher-priv/sockets.h             |  32 +++
>  hasher-priv/x11.c                 |   1 +
>  31 files changed, 2872 insertions(+), 247 deletions(-)
>  create mode 100644 hasher-priv/caller_server.c
>  create mode 100644 hasher-priv/caller_task.c
>  create mode 100644 hasher-priv/cgroup.c
>  create mode 100644 hasher-priv/communication.c
>  create mode 100644 hasher-priv/communication.h
>  create mode 100644 hasher-priv/epoll.c
>  create mode 100644 hasher-priv/epoll.h
>  create mode 100644 hasher-priv/hasher-priv.c
>  create mode 100644 hasher-priv/hasher-privd.c
>  create mode 100644 hasher-priv/hasher-privd.service
>  create mode 100755 hasher-priv/hasher-privd.sysvinit
>  create mode 100644 hasher-priv/logging.c
>  create mode 100644 hasher-priv/logging.h
>  delete mode 100644 hasher-priv/main.c
>  create mode 100644 hasher-priv/pidfile.c
>  create mode 100644 hasher-priv/pidfile.h
>  create mode 100644 hasher-priv/server.conf
>  create mode 100644 hasher-priv/sockets.c
>  create mode 100644 hasher-priv/sockets.h
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Gladkov]

[-- Attachment #1: Type: text/plain, Size: 5096 bytes --]

On Thu, Sep 17, 2020 at 04:09:35PM +0300, Arseny Maslennikov wrote:
> On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> > From: Alexey Gladkov <legion@altlinux.org>
> > 
> > The hasher-priv is a SUID utility. This is not good. Separation of the
> > server and client parts will allow us to remove SUID flag.
> > 
> > The separation of server and client is not intended to give clients
> > access over the network. This separation is only necessary to distinguish
> > privileges. Only UNIX domain socket is used.
> > 
> > A separate session process is created for each connected user. Each such
> > process ends after a certain period of inactivity.
> 
> Thank you for trying this idea out; despite the trolling attempts, this
> effort is long welcome.

I created this patchset a long time ago. I've already lost my context. It
might be better if you keep working on this patch.

> There are some issues with the patchset, which I intend to cover in
> subsequent emails. I have published[1] some fix-up commits on top of
> these patches in an attempt to ensure that, barring the issues with a
> known fix, this works; however, some bugs are definitely still unsolved
> by now, so I decided to discuss the more apparent points first.
> 
> [1] http://git.altlinux.org/people/arseny/packages/hasher-priv.git?a=summary

It looks like you've already started working on finalizing this patch :)

> There's an issue when hasher-privd tries to fulfill a chrootuid{1,2}
> request: the (eventually) unprivileged task executor process
> successfully invokes waitpid() or the likes on a child process,
> select()s on I/O descriptors, but gets CHLD later — and it looks like
> the inherited signal handler causes it to wait again.

Hm...

> I've not yet found a decent reproducer — the following command:
> `hsh-shell $workdir'

There is no such command. You need to send command to run /bin/sh.

> reproduces the issue reliably for me, but hsh-mkchroot, hsh-rmchroot,
> hsh-install are all OK. The root cause nevertheless is not yet
> established. It looks like this has to be patched somewhere in
> chrootuid(), but I might be wrong on this one.
> 
> > 
> > Alexey Gladkov (3):
> >   Make a daemon from the hasher-priv
> >   Add systemd and sysvinit service files
> >   Add cgroup support
> > 
> >  hasher-priv/.gitignore            |   1 +
> >  hasher-priv/DESIGN                | 281 +++++++++++++--------
> >  hasher-priv/Makefile              |  34 ++-
> >  hasher-priv/caller.c              |  81 +++---
> >  hasher-priv/caller_server.c       | 373 ++++++++++++++++++++++++++++
> >  hasher-priv/caller_task.c         | 217 +++++++++++++++++
> >  hasher-priv/cgroup.c              | 119 +++++++++
> >  hasher-priv/cmdline.c             |  27 +-
> >  hasher-priv/communication.c       | 392 ++++++++++++++++++++++++++++++
> >  hasher-priv/communication.h       |  77 ++++++
> >  hasher-priv/config.c              | 148 ++++++++++-
> >  hasher-priv/epoll.c               |  39 +++
> >  hasher-priv/epoll.h               |  18 ++
> >  hasher-priv/hasher-priv.c         |  78 ++++++
> >  hasher-priv/hasher-privd.c        | 375 ++++++++++++++++++++++++++++
> >  hasher-priv/hasher-privd.service  |  11 +
> >  hasher-priv/hasher-privd.sysvinit |  86 +++++++
> >  hasher-priv/io_log.c              |   2 +-
> >  hasher-priv/io_x11.c              |   2 +-
> >  hasher-priv/killuid.c             |   2 +-
> >  hasher-priv/logging.c             |  64 +++++
> >  hasher-priv/logging.h             |  55 +++++
> >  hasher-priv/main.c                |  75 ------
> >  hasher-priv/pass.c                | 117 ++++++++-
> >  hasher-priv/pidfile.c             | 128 ++++++++++
> >  hasher-priv/pidfile.h             |  44 ++++
> >  hasher-priv/priv.h                |  35 ++-
> >  hasher-priv/server.conf           |  22 ++
> >  hasher-priv/sockets.c             | 183 ++++++++++++++
> >  hasher-priv/sockets.h             |  32 +++
> >  hasher-priv/x11.c                 |   1 +
> >  31 files changed, 2872 insertions(+), 247 deletions(-)
> >  create mode 100644 hasher-priv/caller_server.c
> >  create mode 100644 hasher-priv/caller_task.c
> >  create mode 100644 hasher-priv/cgroup.c
> >  create mode 100644 hasher-priv/communication.c
> >  create mode 100644 hasher-priv/communication.h
> >  create mode 100644 hasher-priv/epoll.c
> >  create mode 100644 hasher-priv/epoll.h
> >  create mode 100644 hasher-priv/hasher-priv.c
> >  create mode 100644 hasher-priv/hasher-privd.c
> >  create mode 100644 hasher-priv/hasher-privd.service
> >  create mode 100755 hasher-priv/hasher-privd.sysvinit
> >  create mode 100644 hasher-priv/logging.c
> >  create mode 100644 hasher-priv/logging.h
> >  delete mode 100644 hasher-priv/main.c
> >  create mode 100644 hasher-priv/pidfile.c
> >  create mode 100644 hasher-priv/pidfile.h
> >  create mode 100644 hasher-priv/server.conf
> >  create mode 100644 hasher-priv/sockets.c
> >  create mode 100644 hasher-priv/sockets.h
> > 



-- 
Rgrds, legion


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Arseny Maslennikov]

[-- Attachment #1: Type: text/plain, Size: 2528 bytes --]

On Thu, Oct 01, 2020 at 07:21:11PM +0200, Alexey Gladkov wrote:
> On Thu, Sep 17, 2020 at 04:09:35PM +0300, Arseny Maslennikov wrote:
> > On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> > > From: Alexey Gladkov <legion@altlinux.org>
> > > 
> > > The hasher-priv is a SUID utility. This is not good. Separation of the
> > > server and client parts will allow us to remove SUID flag.
> > > 
> > > The separation of server and client is not intended to give clients
> > > access over the network. This separation is only necessary to distinguish
> > > privileges. Only UNIX domain socket is used.
> > > 
> > > A separate session process is created for each connected user. Each such
> > > process ends after a certain period of inactivity.
> > 
> > Thank you for trying this idea out; despite the trolling attempts, this
> > effort is long welcome.
> 
> I created this patchset a long time ago. I've already lost my context. It
> might be better if you keep working on this patch.
> 

Great! I'd like to work on this further.

> > There are some issues with the patchset, which I intend to cover in
> > subsequent emails. I have published[1] some fix-up commits on top of
> > these patches in an attempt to ensure that, barring the issues with a
> > known fix, this works; however, some bugs are definitely still unsolved
> > by now, so I decided to discuss the more apparent points first.
> > 
> > [1] http://git.altlinux.org/people/arseny/packages/hasher-priv.git?a=summary
> 
> It looks like you've already started working on finalizing this patch :)
> 
> > There's an issue when hasher-privd tries to fulfill a chrootuid{1,2}
> > request: the (eventually) unprivileged task executor process
> > successfully invokes waitpid() or the likes on a child process,
> > select()s on I/O descriptors, but gets CHLD later — and it looks like
> > the inherited signal handler causes it to wait again.
> 
> Hm...
> 
> > I've not yet found a decent reproducer — the following command:
> > `hsh-shell $workdir'
> 
> There is no such command. You need to send command to run /bin/sh.

Yes, there's no such IPC command, I was referring to a shell command run
in the host system by the caller user.

> 
> > reproduces the issue reliably for me, but hsh-mkchroot, hsh-rmchroot,
> > hsh-install are all OK. The root cause nevertheless is not yet
> > established. It looks like this has to be patched somewhere in
> > chrootuid(), but I might be wrong on this one.
> > 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Gladkov]

[-- Attachment #1: Type: text/plain, Size: 3249 bytes --]

On Thu, Oct 01, 2020 at 08:44:00PM +0300, Arseny Maslennikov wrote:
> On Thu, Oct 01, 2020 at 07:21:11PM +0200, Alexey Gladkov wrote:
> > On Thu, Sep 17, 2020 at 04:09:35PM +0300, Arseny Maslennikov wrote:
> > > On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> > > > From: Alexey Gladkov <legion@altlinux.org>
> > > > 
> > > > The hasher-priv is a SUID utility. This is not good. Separation of the
> > > > server and client parts will allow us to remove SUID flag.
> > > > 
> > > > The separation of server and client is not intended to give clients
> > > > access over the network. This separation is only necessary to distinguish
> > > > privileges. Only UNIX domain socket is used.
> > > > 
> > > > A separate session process is created for each connected user. Each such
> > > > process ends after a certain period of inactivity.
> > > 
> > > Thank you for trying this idea out; despite the trolling attempts, this
> > > effort is long welcome.
> > 
> > I created this patchset a long time ago. I've already lost my context. It
> > might be better if you keep working on this patch.
> > 
> 
> Great! I'd like to work on this further.

You have asked many questions. I didn’t answer everything because these
patches are already 5 years old and I can hardly remember what I had in my
head when I did them. Submitting patches to the mailing list was the
second attempt to upstream them. Actually, I was afraid of losing them
altogether, so I merged some of the patches. Originally I had about 10
patches in a patchset.

I'm not sure if I have time for this rework. But we can try. We can
discuss the hasher-privd in russian if you like :)

> > > There are some issues with the patchset, which I intend to cover in
> > > subsequent emails. I have published[1] some fix-up commits on top of
> > > these patches in an attempt to ensure that, barring the issues with a
> > > known fix, this works; however, some bugs are definitely still unsolved
> > > by now, so I decided to discuss the more apparent points first.
> > > 
> > > [1] http://git.altlinux.org/people/arseny/packages/hasher-priv.git?a=summary
> > 
> > It looks like you've already started working on finalizing this patch :)
> > 
> > > There's an issue when hasher-privd tries to fulfill a chrootuid{1,2}
> > > request: the (eventually) unprivileged task executor process
> > > successfully invokes waitpid() or the likes on a child process,
> > > select()s on I/O descriptors, but gets CHLD later — and it looks like
> > > the inherited signal handler causes it to wait again.
> > 
> > Hm...
> > 
> > > I've not yet found a decent reproducer — the following command:
> > > `hsh-shell $workdir'
> > 
> > There is no such command. You need to send command to run /bin/sh.
> 
> Yes, there's no such IPC command, I was referring to a shell command run
> in the host system by the caller user.
> 
> > 
> > > reproduces the issue reliably for me, but hsh-mkchroot, hsh-rmchroot,
> > > hsh-install are all OK. The root cause nevertheless is not yet
> > > established. It looks like this has to be patched somewhere in
> > > chrootuid(), but I might be wrong on this one.
> > > 



-- 
Rgrds, legion


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Arseny Maslennikov]

[-- Attachment #1: Type: text/plain, Size: 4901 bytes --]

On Thu, Oct 01, 2020 at 10:01:29PM +0200, Alexey Gladkov wrote:
> On Thu, Oct 01, 2020 at 08:44:00PM +0300, Arseny Maslennikov wrote:
> > On Thu, Oct 01, 2020 at 07:21:11PM +0200, Alexey Gladkov wrote:
> > > On Thu, Sep 17, 2020 at 04:09:35PM +0300, Arseny Maslennikov wrote:
> > > > On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> > > > > From: Alexey Gladkov <legion@altlinux.org>
> > > > > 
> > > > > The hasher-priv is a SUID utility. This is not good. Separation of the
> > > > > server and client parts will allow us to remove SUID flag.
> > > > > 
> > > > > The separation of server and client is not intended to give clients
> > > > > access over the network. This separation is only necessary to distinguish
> > > > > privileges. Only UNIX domain socket is used.
> > > > > 
> > > > > A separate session process is created for each connected user. Each such
> > > > > process ends after a certain period of inactivity.
> > > > 
> > > > Thank you for trying this idea out; despite the trolling attempts, this
> > > > effort is long welcome.
> > > 
> > > I created this patchset a long time ago. I've already lost my context. It
> > > might be better if you keep working on this patch.
> > > 
> > 
> > Great! I'd like to work on this further.
> 
> You have asked many questions. I didn’t answer everything because these
> patches are already 5 years old and I can hardly remember what I had in my
> head when I did them. Submitting patches to the mailing list was the
> second attempt to upstream them. Actually, I was afraid of losing them
> altogether, so I merged some of the patches. Originally I had about 10
> patches in a patchset.
> 
> I'm not sure if I have time for this rework. But we can try.

So, I guess you won't mind if I would prepare a v2 which fixes some of
the issues discussed, based on my repo. We're in no hurry, since Dmitry
is currently away for the next couple of weeks.

> We can
> discuss the hasher-privd in russian if you like :)

I'm personally fine with both english and russian; looks like you're too.
The remaining concerns are:
* if everyone else interested can respond and continue the conversation
* if the community around hasher ever goes international.

I responded in english, since the patch messages were in english, and in
that case I usually take the (nowadays rare with covid) opportunity to
practice. Если же то, на что я отвечаю, пишут по-русски, то и отвечать,
наверное, следует тоже по-русски.

Если вдруг чувствуете, что лучше по-русски, можете на русский переключаться.

Ну и иногда пишешь что-то по-русски в некоторый
профессионально-технический разговор, а в реплике столько оказывается
непереводных терминов и собственных имён, что уж лучше по-английски бы писал. :)

> 
> > > > There are some issues with the patchset, which I intend to cover in
> > > > subsequent emails. I have published[1] some fix-up commits on top of
> > > > these patches in an attempt to ensure that, barring the issues with a
> > > > known fix, this works; however, some bugs are definitely still unsolved
> > > > by now, so I decided to discuss the more apparent points first.
> > > > 
> > > > [1] http://git.altlinux.org/people/arseny/packages/hasher-priv.git?a=summary
> > > 
> > > It looks like you've already started working on finalizing this patch :)
> > > 
> > > > There's an issue when hasher-privd tries to fulfill a chrootuid{1,2}
> > > > request: the (eventually) unprivileged task executor process
> > > > successfully invokes waitpid() or the likes on a child process,
> > > > select()s on I/O descriptors, but gets CHLD later — and it looks like
> > > > the inherited signal handler causes it to wait again.
> > > 
> > > Hm...
> > > 
> > > > I've not yet found a decent reproducer — the following command:
> > > > `hsh-shell $workdir'
> > > 
> > > There is no such command. You need to send command to run /bin/sh.
> > 
> > Yes, there's no such IPC command, I was referring to a shell command run
> > in the host system by the caller user.
> > 
> > > 
> > > > reproduces the issue reliably for me, but hsh-mkchroot, hsh-rmchroot,
> > > > hsh-install are all OK. The root cause nevertheless is not yet
> > > > established. It looks like this has to be patched somewhere in
> > > > chrootuid(), but I might be wrong on this one.
> > > > 
> 
> 
> 
> -- 
> Rgrds, legion
> 



> _______________________________________________
> Devel mailing list
> Devel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [devel] [PATCH hasher-priv v1 0/3] Make a daemon from the hasher-priv

[Alexey Gladkov]

[-- Attachment #1: Type: text/plain, Size: 3954 bytes --]

On Fri, Oct 02, 2020 at 12:53:45AM +0300, Arseny Maslennikov wrote:
> On Thu, Oct 01, 2020 at 10:01:29PM +0200, Alexey Gladkov wrote:
> > On Thu, Oct 01, 2020 at 08:44:00PM +0300, Arseny Maslennikov wrote:
> > > On Thu, Oct 01, 2020 at 07:21:11PM +0200, Alexey Gladkov wrote:
> > > > On Thu, Sep 17, 2020 at 04:09:35PM +0300, Arseny Maslennikov wrote:
> > > > > On Fri, Dec 13, 2019 at 12:42:02PM +0100, Alex Gladkov wrote:
> > > > > > From: Alexey Gladkov <legion@altlinux.org>
> > > > > > 
> > > > > > The hasher-priv is a SUID utility. This is not good. Separation of the
> > > > > > server and client parts will allow us to remove SUID flag.
> > > > > > 
> > > > > > The separation of server and client is not intended to give clients
> > > > > > access over the network. This separation is only necessary to distinguish
> > > > > > privileges. Only UNIX domain socket is used.
> > > > > > 
> > > > > > A separate session process is created for each connected user. Each such
> > > > > > process ends after a certain period of inactivity.
> > > > > 
> > > > > Thank you for trying this idea out; despite the trolling attempts, this
> > > > > effort is long welcome.
> > > > 
> > > > I created this patchset a long time ago. I've already lost my context. It
> > > > might be better if you keep working on this patch.
> > > > 
> > > 
> > > Great! I'd like to work on this further.
> > 
> > You have asked many questions. I didn’t answer everything because these
> > patches are already 5 years old and I can hardly remember what I had in my
> > head when I did them. Submitting patches to the mailing list was the
> > second attempt to upstream them. Actually, I was afraid of losing them
> > altogether, so I merged some of the patches. Originally I had about 10
> > patches in a patchset.
> > 
> > I'm not sure if I have time for this rework. But we can try.
> 
> So, I guess you won't mind if I would prepare a v2 which fixes some of
> the issues discussed, based on my repo. We're in no hurry, since Dmitry
> is currently away for the next couple of weeks.

Sure! I have been waiting for a reaction for 5 years. We are definitely in
no hurry :)

> > We can
> > discuss the hasher-privd in russian if you like :)
> 
> I'm personally fine with both english and russian; looks like you're too.
> The remaining concerns are:
> * if everyone else interested can respond and continue the conversation
> * if the community around hasher ever goes international.

I can hardly imagine a situation that someone who is not russian speaking
would want to discuss these patches in this mailing list. If that happens
then I'll probably eat my red hat :)

> I responded in english, since the patch messages were in english, and in
> that case I usually take the (nowadays rare with covid) opportunity to
> practice. Если же то, на что я отвечаю, пишут по-русски, то и отвечать,
> наверное, следует тоже по-русски.

Я тоже стараюсь придерживаться такого подхода.

> Если вдруг чувствуете, что лучше по-русски, можете на русский переключаться.

Я пишу по-английски хуже и медленнее. Просто Дима меня совсем бы не понял,
если бы я коммиты по-русски написал :)

> Ну и иногда пишешь что-то по-русски в некоторый
> профессионально-технический разговор, а в реплике столько оказывается
> непереводных терминов и собственных имён, что уж лучше по-английски бы писал. :) 

Зато это мне лишняя практика русского :)

-- 
Rgrds, legion


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]