[CRIU] Hardening the criu service daemon

Pavel Emelyanov xemul at parallels.com
Fri Sep 11 08:27:35 PDT 2015


On 09/11/2015 04:32 PM, Florian Weimer wrote:
> On 09/11/2015 03:30 PM, Pavel Emelyanov wrote:
>> On 09/11/2015 04:23 PM, Florian Weimer wrote:
>>> On 09/11/2015 03:17 PM, Ruslan Kuprieiev wrote:
>>>> Hi,
>>>>
>>>> On 11.09.15 16:06, Pavel Emelyanov wrote:
>>>>>> Are there any objections because the service daemon is seen as an
>>>>>>> important feature or is it okay to be removed?
>>>>> I'm OK with it.
>>>>>
>>>>> I would even suggest deprecating the service as a whole, but before doing
>>>>> this we should implement the "self dump" facility via swrk and then audit
>>>>> the swrk mode for not be subject to the same cves.
>>>>>
>>>>> -- Pavel
>>>> Why deprecating it at all? Isn't it much more secure to let users use
>>>> service socket instead of giving them a suid-ed binary?
>>>
>>> Currently, both are equally insecure.  Making the binary SUID isn't even
>>> documented, as far as I know.
>>
>> It is at the http://criu.org/Security page. Probably not as good as it could be,
>> but still it's there.
> 
> Oh, a half-sentence at the start of the page.  So is the intent that
> SUID installation of the criu binary is supported?  I suspect there
> would be some additional vulnerabilities in this mode.

The intention was that non-root user could use the checkpoint-restore facilities.
So far kernel only allows to do what criu needs from root (mostly caps, AFAIR),
so either via service or via suid bit -- criu should be secure when being asked
by non-root user.

-- Pavel


More information about the CRIU mailing list