RFC: baseline requirements for Ubuntu rootfs: xattrs and fscaps

Stéphane Graber stgraber at ubuntu.com
Sun Aug 5 17:07:16 UTC 2018 

On Sun, Aug 05, 2018 at 11:18:49AM -0400, Stéphane Graber wrote:
> On Wed, Aug 01, 2018 at 05:58:56PM -0700, Steve Langasek wrote:
> > A recent customer bug report revealed that we have packages in the standard
> > Ubuntu system (mtr-tiny) which are making use of filesystem capabilities, to
> > reduce the need for suid binaries on the system:
> > 
> > $ getcap /usr/bin/mtr-packet 
> > /usr/bin/mtr-packet = cap_net_raw+ep
> > $
> > 
> > The customer bug report arose because today, we are not handling all Ubuntu
> > images in an xattr-safe manner.  E.g., on a freshly-launched cosmic lxd
> > container here:
> > 
> > $ lxc exec caring-calf -- getcap /usr/bin/mtr-packet
> > $
> > 
> > This prevents the software from working as intended by the Debian
> > maintainer; the command will only succeed as root in such an environment,
> > where it is intended to be runnable as a non-root user.
> > 
> > We have previously dealt with such an incompatibility in the iputils package
> > by introducing an Ubuntu delta
> > (https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1302192), restoring
> > use of suid in place of fscaps.  This is suboptimal because:
> > 
> >  - It violates the principle of least privilege; why give processes full
> >    root privs if cap_net_raw is all they need?
> >  - It's a game of whack-a-mole.  We fixed iputils in response to bug
> >    reports, but the wrong privileges on mtr-packet went unnoticed.  There
> >    may be other bugs in the future again caused by failing to preserve
> >    xattrs.
> > 
> > I am therefore proposing that we explicitly raise the requirements for
> > Ubuntu root filesystems to always be transported in an xattr-preserving
> > manner.
> > 
> > This will require bugfixes in various places, but ideally on a one-time
> > basis only.  The primary areas of concern are:
> > 
> >  - Where root filesystems are distributed as tarballs, they are not
> >    currently created with --xattrs; this will need to be changed.
> >  - Users who are unpacking root tarballs need to take care to pass
> >    --xattrs-include=* to tar.
> >  - Users who are backing up or streaming Ubuntu root filesystems with tar or
> >    rsync will need to take care to pass non-default xattr-preserving options
> >    (tar --xattrs; rsync -X).
> >  - GNU tar's xattrs format incompatible with other unpack implementations
> >    (e.g. libarchive)[1].  Anyone using another unpacker will necessarily
> >    end up without fscaps.
> >  - lxd will require some additional work in order for fscaps to work as
> >    expected in unprivileged containers[2].
> 
> We've taken care of this part now:
>  - https://github.com/lxc/lxd/pull/4861
>  - https://github.com/lxc/lxd/pull/4868
>  - https://github.com/lxc/lxd/pull/4870
>  - https://github.com/lxc/lxd/pull/4875
> 
> Note that this requires a 4.14 or higher kernel to work as it requires
> support for unprivileged file capabilities.
> 
> For Ubuntu specifically, this particular patchset (written by Serge
> Hallyn) is getting backported to our 4.4 kernel, but that won't be true
> for other distributions.
> 
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1778286

And just noticed that we have another problem on Xenial as our
squashfs-tools there has broken xattr support in unsquashfs.

I filed a bug and will follow-up with a SRU shortly:

https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1785499


> > The parts of this that require changes to Ubuntu seem doable within the
> > 18.10 timeframe, and backportable to 18.04 (where the handling of mtr-tiny
> > is also buggy), after which we could drop the Ubuntu delta for iputils.
> > 
> > The parts of this that involve changes to user behavior are less
> > controllable; hence raising visibility on this question in a public forum.
> > 
> > Thoughts?
> > 
> > -- 
> > Steve Langasek                   Give me a lever long enough and a Free OS
> > Debian Developer                   to set it on, and I can move the world.
> > Ubuntu Developer                                   https://www.debian.org/
> > slangasek at ubuntu.com                                     vorlon at debian.org
> > 
> > [1] https://github.com/opencontainers/image-spec/issues/725
> > [2] https://github.com/lxc/lxd/issues/4862
> 
> 
> 
> > -- 
> > ubuntu-devel mailing list
> > ubuntu-devel at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
> 
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20180805/a460b5cd/attachment.sig>

More information about the ubuntu-devel mailing list