LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-03-2014, 05:38 AM   #1
chris.willing
LQ Newbie
 
Registered: Jun 2014
Posts: 24

Rep: Reputation: Disabled
Update shadow for -current please?


The shadow in -current is 4.1.5.1. The most recent upstream is 4.2.1 (see: http://pkg-shadow.alioth.debian.org/). Why upgrade? Version 4.2 introduced support for subuid & subgid which are important (mandatory) for running LXC (Linux Containers) as normal user.

Is this important? Well, on my own boxes I can always sudo but in the lab that I run I don't want all users to have sudo privileges. Like, say, VirtualBox, LXC should be able to be run as a normal user. An upgraded shadow package would enable this.

chris
 
Old 06-03-2014, 08:10 AM   #2
WhiteWolf1776
Member
 
Registered: Oct 2010
Location: Pittsburgh, PA
Distribution: Slackware
Posts: 224

Rep: Reputation: 53
Odd... I've run VirtualBox as a normal user for years before switching to KVM... maybe your users just need to be in proper groups?
 
Old 06-03-2014, 08:21 AM   #3
chris.willing
LQ Newbie
 
Registered: Jun 2014
Posts: 24

Original Poster
Rep: Reputation: Disabled
What I mean is that, just as you say, VirtualBox can be run as normal user. On the other hand LXC (lxc-start etc.) needs to be run as root or via sudo. A shadow package with subuid & subgid support would enable LXC to be run by normal user, just like VirtualBox.

chris
 
2 members found this post helpful.
Old 06-03-2014, 10:02 AM   #4
Drakeo
Senior Member
 
Registered: Jan 2008
Location: Urbana IL
Distribution: Slackware, Slacko,
Posts: 2,577
Blog Entries: 3

Rep: Reputation: 218Reputation: 218Reputation: 218
do you have a Slackware question. ?
 
Old 06-03-2014, 10:08 AM   #5
moisespedro
Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware and LFS
Posts: 919

Rep: Reputation: 105Reputation: 105
Couldn't you upgrade it yourself?
Or does a shadow upgrade breaks a lot of packages?
 
Old 06-03-2014, 12:55 PM   #6
mancha
Member
 
Registered: Aug 2012
Posts: 313

Rep: Reputation: Disabled
Quote:
Originally Posted by Drakeo View Post
do you have a Slackware question. ?
Isn't his question about Slackware?

===

The OP makes a good case why the new Shadow version should be considered for the next Slackware release. Being able to use
user namespaces with LXC containers is a very important feature. Without that, LXC containment is rather unsafe: uid 0 inside
the container is uid 0 outside meaning an escape from isolation can have catastrophic consequences. It doesn't end there; To
improve the security of your LXC container you need to also be concerned with issues like resource sharing, etc.

Also, if the new Shadow is going to end up in the next Slackware, inclusion in Slackware-current is better sooner than later to
increase the probability bugs/issues/etc. are found and reported before the stable release.

Chris:

Pat visits LQ but I am not sure how regularly. You might want to also send a similar request directly to him via email. In addition
to the Shadow bump you would need to request that Pat: a) upgrade to LXC 1.0+ (as of 20140602, 1.0.3 is the latest), and
b) add user namespace support to the kernel (CONFIG_USER_NS). When doing that I recommend adding memory resource
controllers (CONFIG_MEMCG & CONFIG_MEMCG_KMEM).

--mancha

Last edited by mancha; 06-03-2014 at 01:27 PM. Reason: Mention LXC upgrade
 
4 members found this post helpful.
Old 06-03-2014, 01:58 PM   #7
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,447

Rep: Reputation: 877Reputation: 877Reputation: 877Reputation: 877Reputation: 877Reputation: 877Reputation: 877
and, if you like, you can also add to the recipe the new two deps libnih/cgmanager, and also patch slackpkg accordingly (just two small patches I'm testing since some years, one to respect the $ROOT enviroment variable like installpkg does and another that let you specify a custom CONF directory) to use with it a template I've created and have a debootstrap-like tools to create containers.

http://ponce.cc/slackware/testing/lxc/

thanks Chris for your work with lxc

Last edited by ponce; 06-03-2014 at 02:00 PM.
 
1 members found this post helpful.
Old 06-04-2014, 02:52 AM   #8
dederon
Member
 
Registered: Oct 2013
Posts: 33

Rep: Reputation: Disabled
Quote:
Originally Posted by chris.willing View Post
Version 4.2 introduced support for subuid & subgid which are important (mandatory) for running LXC (Linux Containers) as normal user.
That's interesting. LXC 1.0 needed PAM to run as a normal user. Did that change in the mean time?
 
Old 06-29-2014, 05:26 AM   #9
chris.willing
LQ Newbie
 
Registered: Jun 2014
Posts: 24

Original Poster
Rep: Reputation: Disabled
I guess the question about PAM arose because its listed as a prerequisite at Stephane Graber's https://www.stgraber.org/2014/01/17/...ed-containers/ page. I posted a question there about it but received no reply. Anyway, after lots of testing I can say that the answer is no, PAM is not needed.

For those interested, I set up a VM with slack64-current, modified the config & rebuilt kernel and installed the latest shadow (that includes subuid & subgid support) and lxc-1.0.4, then followed the steps outlined on Stephane's web page. At first I had very limited success until I realized that lxc wasn't able to manipulate /sys/fs/cgroup entries on my behalf. It turned out that I needed the cgmanager daemon/application as well to provide that cgroup access in a neat way. After that I was able download and run Stephane's premade containers as a normal user (its quite strange watching latest Ubuntu run inside Slackware without vbox or kvm). I also made a new Slackware template that I can create and run a container from, although this was initially a bit trickier to do. As explained on Stephane's page, there is a problem with ordinary users running a creation template since it will need to do things like run mknod - thats a no go. Thats the reason Stephane is providing a bunch of premade containers. I therefore first created a "normal" container using sudo, then ran a small application called "uidmapshift" to convert the new container's uids & gids into the range allocated to the ordinary user. Then after moving the container into the ordinary user's designated space ($HOME/.local/share/lxc/), I was able to run the new container as a regular user. Success!

I'll make a web page sometime documenting it all. In the meantime, it works enough that I now feel I can approach Pat about updating the shadow package and adding CONFIG_USER_NS to the kernel config (CONFIG_MEMCG & CONFIG_MEMCG_KMEM are already enabled in the -current kernel). I'm not sure how he'll feel about adding cgmanager and dependent libnih packages to Slackware proper but I already have SlackBuilds which could be submitted to Slackbuilds.org.

chris
 
2 members found this post helpful.
Old 06-29-2014, 05:51 AM   #10
dederon
Member
 
Registered: Oct 2013
Posts: 33

Rep: Reputation: Disabled
thanks a lot, please keep us updated about your documentation efforts. using a normal user as container root is something i really would like to try. usage of CONFIG_USER_NS was discouraged when i tinkered with lxc, maybe that changed. i had to recompile my kernel just because of this, which is annoying.
 
Old 06-29-2014, 08:36 PM   #11
chris.willing
LQ Newbie
 
Registered: Jun 2014
Posts: 24

Original Poster
Rep: Reputation: Disabled
Yes, I see that Arch doesn't enable CONFIG_USER_NS yet after concerns about elevating normal user to root privileges. They were going to reconsider "later" but its still unset in the current version I just checked. I also checked the latest Debian (7.5), Ubuntu (14.04) and Fedora (20) and CONFIG_USER_NS is enabled in all of those. Not to say we should be strictly following the pack; just that CONFIG_USER_NS=yes has been out there in the wild for a while now and I haven't seen any reports of problems attributable to it.

The big thing about CONFIG_USER_NS is "user namespace" - the granting of any (including root) privilege is confined to a restricted environment (the user's name space) not system wide. Any such privilege has to be specifically granted - its not there by default (just able to be given). Of course we should be cautious about the possibility of escaping the restricted environment but, as above, its been around for a while now and so far looking pretty safe.

chris
 
Old 06-30-2014, 01:06 AM   #12
mancha
Member
 
Registered: Aug 2012
Posts: 313

Rep: Reputation: Disabled
Quote:
Originally Posted by chris.willing View Post
Not to say we should be strictly following the pack; just that CONFIG_USER_NS=yes has been out there in the wild for a while now and I
haven't seen any reports of problems attributable to it.
Hi Chris.

Many thanks for your ongoing testing of the new Shadow, LXC, etc. Regarding your above comment, a flaw was recently found in user
namespaces that can be exploited under certain conditions to escalate privileges (CVE-2014-4014). This obviously is relevant within the
context of secure containment.

Fixes were introduced in: 3.10.44, 3.12.23, 3.14.8, and 3.16rc1.

--mancha

Last edited by mancha; 06-30-2014 at 02:58 AM. Reason: Fix typo in CVE ID
 
Old 06-30-2014, 01:51 AM   #13
chris.willing
LQ Newbie
 
Registered: Jun 2014
Posts: 24

Original Poster
Rep: Reputation: Disabled
Thanks for finding that mancha - its good to have all such problems (and fixes) out in the open so that any new features can be introduced with confidence. Hopefully the next -current updates will have kernel >= 3.14.8 then, its not much of a bump.

chris
 
Old 06-30-2014, 02:15 AM   #14
mancha
Member
 
Registered: Aug 2012
Posts: 313

Rep: Reputation: Disabled
Agreed. I wanted to let you know because it seems you're preparing a set of requests for Pat to consider. This way you can let him
know about the issue and which 3.14.x introduced a fix.

Also, I wanted to let other slackers know in case they decide to use user namespaces with their LXC containers on their own kernels
(say 14.1 users sticking to 3.10.x).

--mancha
 
Old 06-30-2014, 02:25 AM   #15
ml4711
Member
 
Registered: Aug 2012
Location: Ryomgård, Danmark
Distribution: Slackware64
Posts: 84

Rep: Reputation: 39
About CONFIG_USER_NS enabled per default

Quote:
When user namespaces are enabled in the kernel it is
recommended that the MEMCG and MEMCG_KMEM options also be
enabled and that user-space use the memory control groups to
limit the amount of memory a memory unprivileged users can
use
Since this recommendation in the kernel config,
it may be an issue in a system with several concurrent users
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware-current] glibc 2.17, shadow, and other penumbrae mancha Slackware 16 10-04-2013 02:59 PM
ubuntu karmic nis client 'ypcat shadow.byname' works, but 'getent shadow' fails casterln Linux - Networking 1 03-06-2010 01:47 AM
Request: New shadow in current jong357 Slackware 3 12-10-2008 03:51 PM
Unable to update shadow-utils perroduke Linux - Newbie 3 04-26-2005 01:52 PM
/etc/shadow- (notice the dash after the word shadow) shellcode Linux - Security 1 09-03-2004 04:54 AM


All times are GMT -5. The time now is 03:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration