Discussion summary: Mock security

Michael E Brown Michael_E_Brown at dell.com
Wed Jun 7 16:22:39 UTC 2006 

On Wed, 2006-06-07 at 11:13 -0400, Jeremy Katz wrote:
> David Smith wrote:
> > On Tue, 2006-06-06 at 15:50 -0500, Michael_E_Brown at Dell.com wrote:
> >> After looking closely at the mock-helper source, I have identified
> >> several problematic areas, listed below. I do not believe, given the
> >> current state of mock-helper, that we should endorse the idea of
> >> allowing untrusted users access to the 'mock' group. We should very
> >> prominently label mock as giving, essentially, root access to each user
> >> you allow to run it. I believe the wiki, the help text of "mock -h", the
> >> mock README, and the mock man page should all be updated with this
> >> information.
> > 
> > ... stuff deleted ...
> > 
> > If you implemented all your proposed solutions, do you think that
> > warning could be removed?  Do you think that mock would be secure at
> > that point?
> 
> It sounds like Michael did a pretty full investigation.  And things at 
> least initially weren't bad off in this respect.

I don't want to lead anybody astray here. I am not a security expert, so
there may well be other things here that I am missing. I just pointed
out the ones that were obvious to me.

> 
> > If the answer is no, how much effort do we want to spend here if at some
> > point we have to trust the users in the "mock" group anyway?

Given the current state of mock-helper, I would say a different design
is called for, one where 'untrusted' user cannot pass any data down to a
trusted process, or as a last resort, all data that is passed is subject
to rigorous validation.


> We really want it to be pretty secure, though -- otherwise, it's a risk 
> for build farms and a future where we might try to have shell servers 
> available for all arches for people to test and debug builds.
> 

That is the thinking behind my audit.


> >> Problem area: do_chroot()
> >> 	passes unchecked user data to chroot command. User can easily
> >> get a shell, and, for example, create device nodes.
> [snip]
> > In our case, we're using mock to cross-build RPMs.  Here's how my co-
> > worker Clark Williams <williams at redhat.com> described it a few months
> > ago when he added the chroot command:
> 
> What if, instead, it chrooted + changed to the mockbuild user?  Would 
> that break your usage case?

Since the mockbuild user in the chroot == current user id non-chroot,
this should preclude some problems, the problem is that many operations
will not be able to be done by current user id due to permissions.

The two suggestions I have seen to fix the architecture here are:
  A) A daemon that runs as root. It accepts minimal 'commands' from
untrusted user and uses those commands to build the chroot.

  B) Same idea as above, but as a SUID program instead of daemon.

the problem with (B) is that it will be a C program, where (A) can be a
python executable. I think we all know which one is easier to maintain.

The problem with the implementation of this solution is that it involves
a pretty hefty rewrite of large portions of code, and then re-testing.
It is only worth this effort if somebody steps forward and says they
actually need this level of security.
--
Michael

More information about the Fedora-buildsys-list mailing list