On Sun, May 03, 2009 at 04:39:23PM +0100, Roger Leigh wrote:
> On Sun, May 03, 2009 at 05:12:01PM +0200, Aurelien Jarno wrote:
> > Package: schroot
> > Version: 1.2.2-1
> > Severity: important
> > Tags: security patch
> > 
> > In script mode, schroot mounts a new tmpfs (with a default size of half
> > the RAM) to act as /dev/shm inside the chroot and for each created
> > chroot (a user can create more than one), as shown below. Those
> > directories are world writable, meaning that a user can fill them, and
> > with them RAM and swap. As soon as the whole RAM and swap have been
> > filled, the kernel starts OOM killing every task, leading to a crash
> > of the machine.
> 
> This is also the case for /lib/init/rw.  There should really be a strict
> size limit placed on it (even on the host).  #390184 BTW.

/lib/init/rw is not world writable, so a normal user can't do anything
here.

> > The correct solution here is to bind mount /dev/shm, as it is already
> > done for /home, /tmp and /dev/pts. The patch below does that:
> 
> We share /home, /tmp for user convenience.  We share /dev/pts because
> there's no choice (we could mount it twice but it's pointless).
> For /dev/shm we are sharing the POSIX SHM and SEM data between host
> and chroot.  My question here is, do we want to share that data?
> 
> I'm perfectly happy with the patch, I just want to question whether
> sharing shared memory is needed or desirable.
> 

I am not sure it is something needed or desirable, however I don't think
it is something that hurts. chroot() is something that only isolates the
filesystem, and a lot of things are already shared between the host and
the chroot.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
[email protected]                 http://www.aurel32.net



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to