[CRIU] Security issues
Pavel Emelyanov
xemul at virtuozzo.com
Wed Dec 14 01:26:34 PST 2016
On 12/14/2016 11:17 AM, Matthias Neuer wrote:
> Hi,
>
> I want to use criu to checkpoint and restart user processes.
CRIU can already dump in user-mode, but not everything :)
> Unfortunately starting the criu daemon as a user process does not work
> because the restore fails as the user lacks the permission to restart
> the process with the old pid. I'm not sure if this problem can be solved
> easily.
It can be, but it requires patching and additional research. User process
can fork() with specified pid only in a new user+pid namespaces. Having a
user+pid namespaces implies having a new mnt namespace with own /proc mount.
There's a thing called scripts/criu-ns in criu-dev branch that handles pid,
mnt and /proc, but not (yet) user ns.
> So I need to start the criu daemon with root permissions.
Oh, that's dangerous.
> In my opinion this produces at least two security risks:
>
> 1. A user can dump a root process. I tested this with version 2.3 and
> 2.9 and it seems to work although on https://criu.org/Security it says
> that it should not work.
Well, yes :( this piece of documentation is quite outdated...
> 2. The fact that you know the filename and the location of the dump file
> the criu daemon writes can be used for a symlink attack.
>
> Can I start the criu service with some options to solve these problems?
Well, making criu daemon run as root serve requests from non-root users in
secure manner turned out to be almost impossible task, so we stopped this
effort. The current plan is to teach criu work in user-mode. Dump works in
many cases, the next thing to do is fix restore with user namespaces.
-- Pavel
More information about the CRIU
mailing list