GitHub-Mirror/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2025-10-06 00:13:24 +02:00
Code Issues Releases Wiki Activity

machined: do not allow unprivileged users to shell into the root namespace

Browse Source 
We intend to make self-registering machines an unprivileged operation,
but currently that would allow an unprivileged user to register a
process they own in the root namespace, and then login as any
user they like, including root, which is not ideal.

Forbid non-root from shelling into a machine that is running in
the root user namespace.
This commit is contained in:
Luca Boccassi
2025-09-24 15:42:51 +01:00
committed by Lennart Poettering
parent 6cae201ca1
commit c5e48e3a66
2 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/machine/machine-dbus.c
View File

@@ -20,6 +20,7 @@
#include "machine-dbus.h" #include "machine-dbus.h"
#include "machined.h" #include "machined.h"
#include "mount-util.h" #include "mount-util.h"
#include "namespace-util.h"
#include "operation.h" #include "operation.h"
#include "path-util.h" #include "path-util.h"
#include "signal-util.h" #include "signal-util.h"
@@ -355,6 +356,25 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
if (r < 0) if (r < 0)
return r; return r;
user = isempty(user) ? "root" : user; user = isempty(user) ? "root" : user;
/* Ensure only root can shell into the root namespace, unless it's specifically the host machine,
* which is owned by uid 0 anyway and cannot be self-registered. This is to avoid unprivileged
* users registering a process they own in the root user namespace, and then shelling in as root
* or another user. Note that the shell operation is privileged and requires 'auth_admin', so we
* do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
* and the caller's do not match, authorization will be required. It's only the case where the
* caller owns the machine that will be shortcut and needs to be checked here. */
if (m->uid != 0 && m->class != MACHINE_HOST) {
r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
if (r < 0)
return r;
if (r != 0)
return sd_bus_error_set(
error,
SD_BUS_ERROR_ACCESS_DENIED,
"Only root may shell into the root user namespace");
}
r = sd_bus_message_read_strv(message, &args_wire); r = sd_bus_message_read_strv(message, &args_wire);
if (r < 0) if (r < 0)
return r; return r;

18
test/units/TEST-13-NSPAWN.unpriv.sh
View File

@@ -69,4 +69,22 @@ machinectl terminate zurps
"$(systemctl show -p MainPID --value systemd-logind.service)" \ "$(systemctl show -p MainPID --value systemd-logind.service)" \
"$PWD") "$PWD")
run0 -u testuser \
busctl call \
org.freedesktop.machine1 \
/org/freedesktop/machine1 \
org.freedesktop.machine1.Manager \
RegisterMachine \
'sayssus' \
shouldnotwork2 \
16 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 \
"" \
container \
"$(systemctl show -p MainPID --value user@4711.service)" \
"$PWD"
(! run0 -u testuser machinectl shell shouldnotwork2 /usr/bin/id -u)
(! run0 -u testuser machinectl shell root@shouldnotwork2 /usr/bin/id -u)
(! run0 -u testuser machinectl shell 0@shouldnotwork2 /usr/bin/id -u)
(! run0 -u testuser machinectl shell testuser@shouldnotwork2 /usr/bin/id -u)
loginctl disable-linger testuser loginctl disable-linger testuser