* AS-safe change for multithreaded setxid breaks chroot() along with set*id()
@ 2016-04-01 20:22 Lance Chen
2016-04-01 20:28 ` Josiah Worcester
0 siblings, 1 reply; 3+ messages in thread
From: Lance Chen @ 2016-04-01 20:22 UTC (permalink / raw)
To: musl
[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]
Hello there,
I have been trying to run powerdns on Alpine Linux, which features musl,
without success. It turns out that the AS-safe strategy introduced in
the patch
http://git.musl-libc.org/cgit/musl/commit/?id=78a8ef47c4d92b7680c52a85f80a81e29da86bb9,
especially the use of reading /proc/self/task, causes the failure. The
failure condition is a combination of three features, pthread, chroot,
and set*id. After chroot()'ing to some directory, calling set*id() will
try to access /proc/self/task, and fail to find the directory in the new
root. I've created a minimal POC at
https://gist.github.com/Lance0312/c7a82793e35b322bfbdfe96b79dd3152.
I understand how important it is to make set*id calls AS-safe, but there
might be a bunch of programs using set*id along with pthread and chroot.
(postfix could be one of them, I haven't take a deeper look at it though)
And I think it does not quite make sense to ask user not to use the
combination of the three features.
Does anyone have any possible fix for this? Or anyone know any WIP on
the Linux kernel to provide a truly atomic set*id syscall among threads?
Related thread: Fixing multithreaded set*id() AS-safety http://www.openwall.com/lists/musl/2014/12/20/1
Cheers,
Lance Chen
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AS-safe change for multithreaded setxid breaks chroot() along with set*id()
2016-04-01 20:22 AS-safe change for multithreaded setxid breaks chroot() along with set*id() Lance Chen
@ 2016-04-01 20:28 ` Josiah Worcester
2016-04-02 1:03 ` Rich Felker
0 siblings, 1 reply; 3+ messages in thread
From: Josiah Worcester @ 2016-04-01 20:28 UTC (permalink / raw)
To: musl
[-- Attachment #1: Type: text/plain, Size: 1179 bytes --]
On Fri, Apr 1, 2016 at 1:23 PM Lance Chen <cyen0312@gmail.com> wrote:
> Hello there,
>
> I have been trying to run powerdns on Alpine Linux, which features musl,
> without success. It turns out that the AS-safe strategy introduced in
> the patch
>
> http://git.musl-libc.org/cgit/musl/commit/?id=78a8ef47c4d92b7680c52a85f80a81e29da86bb9
> ,
> especially the use of reading /proc/self/task, causes the failure. The
> failure condition is a combination of three features, pthread, chroot,
> and set*id. After chroot()'ing to some directory, calling set*id() will
> try to access /proc/self/task, and fail to find the directory in the new
> root. I've created a minimal POC at
> https://gist.github.com/Lance0312/c7a82793e35b322bfbdfe96b79dd3152.
>
>
A fairly simple fix for this would be to create and mount /proc in the
chroot. This is likely to be needed for some other interfaces in libc as
well as other libraries and utilities, because there's functionality of
Linux which is only really exposed in that filesystem. I don't know of
anything in particular that would fail on glibc, but I am confident that
you'll have issues, just like if you don't have /dev in the chroot.
[-- Attachment #2: Type: text/html, Size: 1861 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AS-safe change for multithreaded setxid breaks chroot() along with set*id()
2016-04-01 20:28 ` Josiah Worcester
@ 2016-04-02 1:03 ` Rich Felker
0 siblings, 0 replies; 3+ messages in thread
From: Rich Felker @ 2016-04-02 1:03 UTC (permalink / raw)
To: musl
On Fri, Apr 01, 2016 at 08:28:48PM +0000, Josiah Worcester wrote:
> On Fri, Apr 1, 2016 at 1:23 PM Lance Chen <cyen0312@gmail.com> wrote:
>
> > Hello there,
> >
> > I have been trying to run powerdns on Alpine Linux, which features musl,
> > without success. It turns out that the AS-safe strategy introduced in
> > the patch
> >
> > http://git.musl-libc.org/cgit/musl/commit/?id=78a8ef47c4d92b7680c52a85f80a81e29da86bb9
> > ,
> > especially the use of reading /proc/self/task, causes the failure. The
> > failure condition is a combination of three features, pthread, chroot,
> > and set*id. After chroot()'ing to some directory, calling set*id() will
> > try to access /proc/self/task, and fail to find the directory in the new
> > root. I've created a minimal POC at
> > https://gist.github.com/Lance0312/c7a82793e35b322bfbdfe96b79dd3152.
>
> A fairly simple fix for this would be to create and mount /proc in the
> chroot. This is likely to be needed for some other interfaces in libc as
> well as other libraries and utilities, because there's functionality of
> Linux which is only really exposed in that filesystem. I don't know of
> anything in particular that would fail on glibc, but I am confident that
> you'll have issues, just like if you don't have /dev in the chroot.
Indeed. Due to Linux limitations, it's impossible to provide complete
behavior for some functions without /proc. In the case of set*id, the
right solution is to fix the kernel so that it can atomically change
the ids of a whole process, but I looked at doing that and it's hard
(because of a lot of architectural flaws on the kernel's part, like
using an allocated struct cred and RCU mess to represent ids rather
than just putting them inline in the task struct).
Rich
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-02 1:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-01 20:22 AS-safe change for multithreaded setxid breaks chroot() along with set*id() Lance Chen
2016-04-01 20:28 ` Josiah Worcester
2016-04-02 1:03 ` Rich Felker
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).