machined: do not allow unprivileged users to shell into the root namespace

We intend to make self-registering machines an unprivileged operation, but currently that would allow an unprivileged user to register a process they own in the root namespace, and then login as any user they like, including root, which is not ideal. Forbid non-root from shelling into a machine that is running in the root user namespace.
2025-10-06 00:13:24 +02:00 · 2025-09-24 15:42:51 +01:00
parent 6cae201ca1
commit c5e48e3a66
2 changed files with 38 additions and 0 deletions
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -20,6 +20,7 @@
 #include "machine-dbus.h"
 #include "machined.h"
 #include "mount-util.h"
+#include "namespace-util.h"
 #include "operation.h"
 #include "path-util.h"
 #include "signal-util.h"
@@ -355,6 +356,25 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
        if (r < 0)
                return r;
        user = isempty(user) ? "root" : user;
+
+        /* Ensure only root can shell into the root namespace, unless it's specifically the host machine,
+         * which is owned by uid 0 anyway and cannot be self-registered. This is to avoid unprivileged
+         * users registering a process they own in the root user namespace, and then shelling in as root
+         * or another user. Note that the shell operation is privileged and requires 'auth_admin', so we
+         * do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
+         * and the caller's do not match, authorization will be required. It's only the case where the
+         * caller owns the machine that will be shortcut and needs to be checked here. */
+        if (m->uid != 0 && m->class != MACHINE_HOST) {
+                r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
+                if (r < 0)
+                        return r;
+                if (r != 0)
+                        return sd_bus_error_set(
+                                        error,
+                                        SD_BUS_ERROR_ACCESS_DENIED,
+                                        "Only root may shell into the root user namespace");
+        }
+
        r = sd_bus_message_read_strv(message, &args_wire);
        if (r < 0)
                return r;
--- a/test/units/TEST-13-NSPAWN.unpriv.sh
+++ b/test/units/TEST-13-NSPAWN.unpriv.sh
@@ -69,4 +69,22 @@ machinectl terminate zurps
        "$(systemctl show -p MainPID --value systemd-logind.service)" \
        "$PWD")

+run0 -u testuser \
+    busctl call \
+        org.freedesktop.machine1 \
+        /org/freedesktop/machine1 \
+        org.freedesktop.machine1.Manager \
+        RegisterMachine \
+        'sayssus' \
+        shouldnotwork2 \
+        16 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 \
+        "" \
+        container \
+        "$(systemctl show -p MainPID --value user@4711.service)" \
+        "$PWD"
+(! run0 -u testuser machinectl shell shouldnotwork2 /usr/bin/id -u)
+(! run0 -u testuser machinectl shell root@shouldnotwork2 /usr/bin/id -u)
+(! run0 -u testuser machinectl shell 0@shouldnotwork2 /usr/bin/id -u)
+(! run0 -u testuser machinectl shell testuser@shouldnotwork2 /usr/bin/id -u)
+
 loginctl disable-linger testuser