On 1/7/25 09:22, enh wrote:
I guess "setpriv" would be interesting to someone who actually uses
selinux? Or no, is this capability bits?
interestingly, it looks like "all of the above" --- it's a single command
that lets you mess with ids, groups, environment, capabilities, selinux
labels, etc... an interesting idea in theory, but this is the first i've
ever heard of its existence.
Debian installs it by default from util-linux, git log says busybox
added it in 2017.
Argues for implementing it as is, I suppose, except... setpriv -d lists
"supplementary groups" but busybox --help doesn't say how to CHANGE
them? Ah, the man page says there's a --clear-groups and --groups which
are LONGOPTS ONLY and thus very annoying... One of the options just
references "man 3 initgroups" which can't be right. "For safety" we
don't select a consistent default behavior because we are cowards...
--pdeathsig keep|clear|<signal>
Keep, clear or set the parent death signal. Some LSMs, most notably
SELinux and AppArmor, clear the signal when the process'
credentials change. Using --pdeathsig keep will restore the parent
death signal after changing credentials to remedy that situation.
Really? (I am not implementing app-armor profiles without someone
actually using it asking me to.)
I don't need --reset-env we have an "env" command already.
Be careful with this tool — it may have unexpected security
consequences. For example, setting no_new_privs and then execing a
program that is SELinux-confined (as this tool would do) may prevent
the SELinux restrictions from taking effect.
Security plumbing in a nutshell: "caution, this is just as likely to
make it worse".
Ok, reading the man page is arguing AGAINST implementing this mess as
is. Maybe I _should_ just do a "contain" command where I can use single
letter options for stuff. (You kind of have to in order to chroot() and
_then_ drop privileges. And an actually secure-ish chroot uses
pivot_root() for reasons I've vented about _at_Linus_. Why doesn't
chroot also do chdir? So it can be insecure. No other reason as far as I
can tell...)
Yeah, there's other holes: linux-vserver.org/Secure_chroot_Barrier
(Somewhere in my notes I have a survey of other "contain" style commands
people were doing...)
I've had a hard time taking
those seriously since:
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
But I guess it's vaguely adjacent to "unshare"? (Which toybox already
has. I've meant to do a "contain" command that set all that nonsense
from one command line, so you can make a wrapper script to enter a
container...)
...and annoyingly, the one thing that setpriv is _missing_ is the unshare
stuff :-(
They stack. My debootstrap launch wrapper is:
sudo env -i USER=root TERM=linux SHELL=/bin/bash LANG=$LANG
PATH=/bin:/sbin:/usr/bin:/usr/sbin unshare -Cimpuf chroot newroot /init
Modulo there was a discussion on here about me needing to fix up toybox
unshare to handle some no-root case the kernel had added, which I
couldn't test at the time until after I'd upgraded to a new OS release,
but after the reinstall I don't have the URL to the message bookmarked
and haven't managed to dig it up again since? (I have the todo item
reminding me to do it, but have to dig through the archive to find the
old message. Was it mailing list, or github, or private email, or
something somebody said you can now do on the kernel list and I went "I
should implement that", or...?)
For that matter, was it unshare or nsenter?
yeah, for that i think you just have to scan down
https://landley.net/toybox/help.html
and
https://man.archlinux.org/man/busybox.1.en#COMMAND_DESCRIPTIONS
and see if there's anything you care about.
(busybox.net seems to be down atm.)
Up for me. https://busybox.net/downloads/BusyBox.html
or just "suck it and see", which is basically what Android did for the host
build.
Alas real world use is the only REAL test, which is why I need to get
the linux from scratch build working again...
Rob
_______________________________________________
Toybox mailing list
Toybox@lists.landley.net
http://lists.landley.net/listinfo.cgi/toybox-landley.net
