ostree-ext: Keep CAP_DAC_READ_SEARCH when passing auth via fd#2303
ostree-ext: Keep CAP_DAC_READ_SEARCH when passing auth via fd#2303gursewak1997 wants to merge 1 commit into
Conversation
When running under systemd, ostree-ext drops privileges to 'nobody' with setpriv --bounding-set -all. However, skopeo needs to re-open auth file descriptors at /proc/self/fd/N, which requires CAP_DAC_READ_SEARCH. Fix by conditionally keeping this capability when auth_data is present: setpriv --bounding-set -all,+dac_read_search This fixes Anaconda installations with authenticated registries while maintaining security (still runs as unprivileged user). Signed-off-by: gursewak1997 <gursmangat@gmail.com>
Johan-Liebert1
left a comment
There was a problem hiding this comment.
Looks good. Though, I wonder if we can have skopeo consume the inherited fd instead of reopening it
|
Honestly my inclination now is to entirely drop this isolation. We actually never ported it over to composefs-rs either and the fact that it only triggers when run under a systemd unit cuts our test coverage. I think the core concept still makes sense, but ultimately if we move to doing "podman pull" or equivalent anyways (ref #20 ) then the code is totally dead. |
Do you think we can keep this fix as a short-term solution until the |
Pretty valid but I think the issue is in how containers-image-proxy (Go side) currently works; it re-opens /proc/self/fd/N instead of using the fd directly. That would require changes in the containers/image codebase. |
But did you test it? I could believe this works, but this is kind of subtle - it's actually not normal to have an unprivileged user with To verify this works, we'd need to setup a pull from a registry with an auth setup from a systemd unit, which...we should totally have, but would require some infrastructure work. The testing situation is why I would argue to just remove it entirely. |
Yes, I tested it in a bootc VM with systemd-sysext overlaying the fixed binary, INVOCATION_ID set, and /etc/ostree/auth.json present. That said, you're absolutely right about the testing infrastructure gap and my test was manual and one-off. I will close this and put up a new PR to remove this. PR: #2307 |
When running under systemd, ostree-ext drops privileges to 'nobody' with setpriv --bounding-set -all. However, skopeo needs to re-open auth file descriptors at /proc/self/fd/N, which requires CAP_DAC_READ_SEARCH.
Fix by conditionally keeping this capability when auth_data is present: setpriv --bounding-set -all,+dac_read_search
This fixes Anaconda installations with authenticated registries while maintaining security (still runs as unprivileged user).