Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)

To: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>, debian-ports@lists.debian.org
Subject: Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
From: Bastian Blank <waldi@debian.org>
Date: Sun, 24 Aug 2025 00:53:05 +0200
Message-id: <[🔎] 20250823225305.rwvkaqsg5xcdryfr@shell.thinkmo.de>
Mail-followup-to: Bastian Blank <waldi@debian.org>, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>, debian-ports@lists.debian.org
In-reply-to: <[🔎] 119d5858-52f4-ce1b-9ee7-9615ce2054b9@debian.org>
References: <aKi6IWVX2uIlGKnw@seger.debian.org> <Pine.BSM.4.64L.2508230023030.21591@herc.mirbsd.org> <6abe2750-5e2c-43a1-be57-1dc2ccabdd91@tls.msk.ru> <[🔎] 119d5858-52f4-ce1b-9ee7-9615ce2054b9@debian.org>

On Sat, Aug 23, 2025 at 04:19:29PM +0200, Thorsten Glaser wrote:
> On Sat, 23 Aug 2025, Michael Tokarev wrote:
> 
> >> Does this entirely break things like running sudo within a
> >> qemu-user-emulated chroot (or buildd/cowbuilder/schroot)?
> 
> > It discontinues elevating (changing) privileges using qemu-user binfmt
> > handler.  Things like /foreign/chroot//bin/su and /foreign/chroot/bin/sudo
> > does not work anymore.  If you run sudo /foreign/chroot/bin/bash,
> > your bash will continue run as root under qemu-user, as before.
> 
> But the use case is:
> prompt> chroot /foreign/chroot su - user
> chroot> do something
> chroot> sudo do something else   # this step
> […]
> chroot> exit

So you don't need elevation at all, as chroot already requires
privileges.  Please show the log of such a broken use-case.

Also "su - user", seriously?

> This needs to work, or at least be enablable (with a documentation
> in at least README.Debian, with a NEWS.Debian entry pointing to it
> saying precisely how, not vague “this will require changes to your
> deployment”).

You need to fix the implementation to not require elevation.

> > There are no alternatives - qemu is unique in this regard.  And
> > it has never been designed for this usage.  What we had for 15+
> > years, unnoticed, is like `chmod u+s /bin/sh`, which is never
> > supposed to be used like this.
> Perhaps, but there’s shades in between.

No, there are not.  qemu-user is not expected to be used in this way.

> > If you rely on suid/sgid *foreign* binaries, that's where the
> > problem lies.
> Yes. People expect to be able to run foreign-arch chroots.
> Entire buildd setups partly rely on this, too…

And they can still do that.  They just can't jump from user back to
root.  So replace sudo with ctrl-d.

> > As stated in the announcement, if you relied on this feature,
> > you have to rework your setup.
> And that is both too vague and not in README.Debian so that
> people installing qemu-user later can find that.

Please provide patches.

Bastian

-- 
The sight of death frightens them [Earthers].
		-- Kras the Klingon, "Friday's Child", stardate 3497.2

Reply to:

References:
- qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
  - From: Thorsten Glaser <tg@debian.org>

Prev by Date: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Next by Date: Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Previous by thread: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Next by thread: Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Index(es):
- Date
- Thread