[ori_b]

> The thing about `sudo` is confusing because you don't even need to modify the namespace to overwrite `/etc/sudoers` if you have root. You just need to write to the file.

The point is that you DONT have root, and you DONT have access to write to the file. But you're free to rearrange your namespace WITHOUT having root, and you want to arrange for SOME users to escalate privileges and, say, debug the kernel. Or do something else dangerous that requires elevated privileges in the global context.

> A `sudo` that is seeing a local view of the root is going to have privileged access to that local root, not to the global system root. And that is correct. That is what sudo does. It gives root access to the same root that contains /etc, not to any "outer" or "more global" root.

Yes, and that's a concise description of the flaw: you can't use suid+file based privilege escalation to modify system-wide configuration, without restricting the ability to manage freely your namespace.

This is what unix does by design, and why the authentication design from unix isn't going to work for systems used in the style of plan 9.

[DarylZero]

You can use suid programs to do what they do. You can use other mechanisms to do other things.

Suid programs on Plan9 could not possibly behave any differently. If the user rebinds `/bin` and then runs a suid program that calls other programs, that suid program cannot use the rebound `/bin`. That kind of binding simply can't be allowed to cross security contexts.

[stormbrew]

setuid does not exist on plan9.

[DarylZero]

Right, so none of this namespace stuff works under suid there either.

[stormbrew]

I don't know what you're trying to say here. You seem to be saying that "namespaces wouldn't work in plan9 if plan9 had setuid" which.. yes? That's exactly right. But plan9 does have namespaces, and does not have setuid, so it does indeed work there.

[DarylZero]

I mean it's supposed to be a problem for Linux if a setuid binary just has a different namespace view than the caller. But in Plan9 there's no setuid binary at all yet it's not a problem?

In neither Plan9, nor Linux, nor any other potential system, could you have the caller of a privileged program control the namespaces accessed under the privilege of that program.

Like the whole thing about rebinding /bin instead of $PATH... well neither rebinding, nor editing $PATH, nor any other such thing, $LD_PRELOAD, anything, that would affect how the process found files to execute, could be secure if allowed to affect a privileged process. It only means you disable environment sharing, and you disable namespace sharing, etc., any other kind of sharing (no matter how implemented... Linux way, Plan9 way, anything). Plan9 has no better way than that, no way to make /bin rebinding work in a way that makes sense for privilege escalation.

[ori_b]

> But in Plan9 there's no setuid binary at all yet it's not a problem?

I think you mean, 'and therefore, it's not a problem.'

In plan 9, the program that allows you to switch users needs almost no privileges.

> Plan9 has no better way than that, no way to make /bin rebinding work in a way that makes sense for privilege escalation.

Processes aren't allowed to become privileged without obtaining a cryptographic capability token via negotiation with the authentication agent. The auth agent which was started at boot will write the secret to the kernel, and give you the hash of it so you can prove you are the rightful recipient of that uid switch request. If you don't have the right secrets, you don't get a token.

You can't swap the devcap in the authenticators namespace, and negotiating with a rebound devcap is simply not going to work, because your authentication token wasn't written into it. You don't have the ability to change what the program doing authentication sees.

In summary: There's no information attached to the binary, and no capability grants in a namespace you can rebind.

If you want to namespace this sort of authentication agent, it's also possible -- you can authenticate, escalate permissions, and start your own agent talking to devcap -- but the capability to start a functional authentication agent is guarded by capability tokens. You need to be authenticated to allow authentication.

Removing suid binaries with config files as a method for privilege escalation is the right path. They don't play well with namespaces.

Cryptographic capability tokens that you can delegate to other programs do.

[stormbrew]

The problem is that the setuid program does have the same view of the namespace as its caller. When you run a setuid binary it inherits all aspects of the process that exec()'d it, including its namespaces.

Ok, so let's make this more concrete. The scenario we're discussing is a user who wishes to (illegitimately) elevate their privileges, and has the ability to mount, and in particular bind/union mount:

    > mkdir ~/my-etc
    > echo 'badperson   ALL=NOPASSWD:(ALL:ALL) ALL' > ~/my-etc/sudoers
    > mount --bind ~/my-etc /etc # note: you could also insert a command to bump us into a new filesystem namespace before this if you want, or assume that say logind did it for us, it wouldn't change anything about what happens next
    > sudo -s
    # rm -rf /*

This happens because sudo is a setuid program, and it inherits the filesystem namespace of the shell that ran it. In that namespace, the real sudoers file has been masked with a fake one that says badperson can sudo to any user they want, and so it lets them.

That this is the mechanism of privilege escalation that linux uses is fundamental to why mounting (and bind mounting) is a privileged operation. Plan9 does not have either root, nor setuid programs, nor filesystem-stored capabilities, and so does not suffer from this and you can manipulate your namespace to your heart's content.

> Plan9 has no better way than that, no way to make /bin rebinding work in a way that makes sense for privilege escalation.

Please just read some things about plan9 already.