1608343323 M * Bertl_oO  off to bed now ... have a good one everyone!
1608343325 N * Bertl_oO Bertl_zZ
1608345005 Q * transacid Remote host closed the connection
1608345026 J * transacid ~transacid@transacid.de
1608368150 J * aj__ ~aj@p200300c6272a6300aae93983cd8faa84.dip0.t-ipconnect.de
1608380967 N * Bertl_zZ Bertl
1608380971 M * Bertl  morning folks!
1608387940 J * emanuel ~emanuel@2a02:1748:dd5e:7720:aad8:61cd:1c3a:de3f
1608388414 M * emanuel Hello, I have (permission) problems running an AppImage in a VServer but can't find anything on the wiki:
1608388576 M * emanuel If I try to run an AppImage inside a VServer this happens: https://bin.emanuel-loos.eu/?608ba8000076f36b#5kY4ndBfry1AMxPmKzfjr9tJzKFLCq7NbCR3NPbK7BH
1608388691 M * emanuel Or view it here: https://paste.debian.net/1177596/
1608388919 M * emanuel Thanks in advance!
1608389618 M * gnarface is it something you can mount ahead of time?
1608389645 M * gnarface i thought you can't mount stuff after the guest is started
1608389653 M * gnarface don't know if fuse can be made to work
1608389662 M * gnarface but i'm no expert on it
1608389700 M * gnarface it looks like the appimage tries to make the guest mount another filesystem, which would be a security hazard 
1608389918 M * Bertl emanuel: yes, the problem here seems to be the fuse module load
1608389941 M * Bertl try to load the fuse module on the host first and see how that does
1608389995 M * Bertl might be a problem if you do not have access to the host though
1608390224 M * emanuel on the host there is no output when loading fuse
1608390324 M * Bertl yes, that's expected, now try the appimage again
1608390331 M * Bertl (inside the guest)
1608390367 M * emanuel same as before
1608390415 M * Bertl device not found?
1608390439 M * Bertl does /dev/fuse exist inside the guest?
1608390460 M * Bertl if not, you want to create it there from the host
1608390466 M * Bertl (or copy it from the host)
1608390515 M * emanuel it doesn't exist
1608390608 Q * DelTree Ping timeout: 480 seconds
1608390637 M * emanuel how can I coy it
1608390644 M * emanuel *copy
1608390681 M * Bertl cp -va /dev/fuse /path/to/guest/dev/fuse
1608390760 M * emanuel doesn't work:
1608390763 M * emanuel cp: die Spezialdatei '/etc/vservers/nc/dev/fuse' kann nicht erzeugt werden: Datei oder Verzeichnis nicht gefunden
1608390871 M * emanuel english: the special file '/etc/vservers/nc/dev/fuse' can't be created: file or directory not found
1608390897 M * emanuel however it *does* exist on the host
1608390913 M * Bertl you sure your guest is at /etc/vservers/nc ?
1608390928 M * Bertl typically the config is there, and the guest is at /vservers/
1608390954 M * Bertl chat for a /dev directory with a bunch of devices (about 5-10)
1608390971 M * emanuel I forgot vdir
1608391100 M * emanuel now /dev/fuse exists, but I still get the same error when running an AppImage
1608391114 M * Bertl device not found?
1608391156 M * emanuel https://bin.emanuel-loos.eu/?cad0b0b8eb65241a#G5QcxiYX3Foaq7yiTZtdEeBeQ3JtEREHer2hdP3Xpg6A
1608391174 M * Bertl ah, so now you get a different one
1608391185 M * Bertl i.e. you are not permitted to do the mount
1608391204 M * Bertl you can allow that to the guest by giving additional capabilities
1608391233 M * Bertl the question here is: do you just want to run the softare in the guest or make app images work in general?
1608391253 J * DelTree ~deplagne@2a00:c70:1:213:246:56:18:2
1608391275 M * Bertl because for a particular appimage you could simply unpack it on the host and then run it on the guest
1608391293 M * Bertl (without giving additional capabilities)
1608391326 M * emanuel what are the security problems?
1608391344 M * gnarface well the disk mount could literally be anything
1608391349 M * gnarface even something bad
1608391378 M * gnarface (there might be load implications too)
1608391472 M * gnarface in theory you're sidestepping numerous security barriers placed there both by the kernel and by the distro's package management system to protect you
1608391506 M * gnarface of course if you trust and know the contents implicitly, the only issue is the potentially unnecessary load
1608391520 M * gnarface (assuming it could be pre-mounted)
1608391530 M * gnarface (or extracted or whatever)
1608391617 M * gnarface i don't know much about appimages 
1608391653 M * emanuel what is the exact security vulnerability with mounting
1608391676 M * gnarface well you can mount anywhere too
1608391682 M * gnarface like, over top of something important
1608391707 M * gnarface certainly you can see the risk of letting something replace /usr/bin/ with it's own stuff, right?
1608391748 M * gnarface the concept shouldn't be that hard to grasp, i think you're over-complicating it in your head
1608391770 M * emanuel anywhere or only anywhere inside the VServer
1608391818 M * gnarface oh i don't actually know for sure, but even if it was only inside the vserver, wouldn't that be bad enough?
1608391848 M * gnarface they could replace the sshd binary with something that sends your passwords to china
1608391873 M * Bertl emanuel: simple example: you create a file with a bad filesystem in it, then you mount it on the guest and crash the host
1608391884 M * gnarface they could turn on your microphone and listen to your porn stream
1608391901 M * gnarface yea or they could just crash your server :-p
1608391957 M * gnarface there's a trick to make a relatively small file look like basically arbitrary-sized space using sparse mode
1608392006 M * emanuel well if someone has access to one of my VServers wouldn't he/she already be able to view anything inside it?
1608392023 M * gnarface yea, but not replace it with trojan horses 
1608392060 M * gnarface they wouldn't have write access to system files
1608392075 M * gnarface they wouldn't even have read access to most devices 
1608392094 M * gnarface they wouldn't be able to create network devices either 
1608392130 M * Bertl emanuel: another example: guest creates a filesystem with all kind of device nodes in it and mounts it. then uses mount to mount the host devices
1608392199 M * Bertl there are ways to improve the situation by only allowing certain types of mounts with specific options, but that requires a proper security framework setup or some changes to the kernel
1608392202 M * emanuel and the host and guest devices can't be separated?
1608392226 M * Bertl in general, you can assume that the guest must be trusted if you allow arbitrary mounts there
1608392288 M * gnarface you can assign devices to guests on a per-device basis before they start.  that's the safest way to do it.  letting programs change it on the fly is where you introduce real entry vectors.
1608392350 M * gnarface basically, anything that would normally require root access on the host isn't really something you want a guest to be able to do for itself
1608392399 M * emanuel can I whitelist devices for mounting?
1608392431 M * Bertl not from the Linux-VServer side, but you can do so with security modules like selinux
1608392544 M * emanuel would that still be as secure, if yes: how do I do that?
1608392611 M * Bertl probably would be secure, but nobody ever did a proper security framework configuration which played nicely with Linux-VServer 
1608392642 M * Bertl so you would have to dig deep into whatever framework/module you use and figure out how to configure it properly
1608393089 M * emanuel The AppImage is a (online) document suite which should be run automatically by Nextcloud
1608393205 M * Bertl once the AppImage has been extracted, you can simply 'run' it via
1608393213 M * Bertl squashfs-root/AppRun
1608393255 M * Bertl you can probably make a symlink or similar with the original AppImage name
1608393333 M * Bertl so, the basic steps to make this work would be:
1608393345 M * Bertl - unpack/extract the AppImage on the hist
1608393347 M * Bertl *host
1608393374 M * Bertl - copy the squashfs-root over into the guest
1608393398 M * Bertl - create a symlink or adjust the settings to run squashfs-root/AppRun
1608394016 Q * Aiken Remote host closed the connection
1608395205 M * Bertl  off for now ... bbl
1608395207 N * Bertl Bertl_oO
1608399475 M * emanuel Thanks for your help!
1608399475 M * emanuel What I foud out:
1608399475 M * emanuel Extracting AppImages works inside a VServer and there is also a option extract and run (--appimage-extract-and-run) which Nextcloud seems to pass if fuse doesn't exist.
1608399475 M * emanuel However I didn't get the AppImage to work due to another problem, which doesn't seem to be a Linux-VServer one.
1608401222 M * Bertl_oO thanks for the info!
1608407499 Q * emanuel Ping timeout: 480 seconds
1608409754 J * Aiken ~Aiken@b951.h.jbmb.net
1608416188 J * hijacker ~nikolay@external.oldum.net
1608417894 Q * aj__ Ping timeout: 480 seconds