[go: up one dir, main page]
|
|
Log in / Subscribe / Register

The trouble with dropping groups

The trouble with dropping groups

Posted Nov 20, 2014 23:37 UTC (Thu) by spender (guest, #23067)
In reply to: The trouble with dropping groups by jspaleta
Parent article: The trouble with dropping groups

There have been at least a dozen vulnerabilities caused by the existence of unprivileged user namespaces by now, so if this is the first one to draw your attention, you're a bit late to the game ;) It's so obviously bad that it's become a running joke on my Twitter.

Just a small sampling of the vulns:
http://article.gmane.org/gmane.linux.network/283310
http://thread.gmane.org/gmane.linux.file-systems/89076
https://lkml.org/lkml/2013/3/14/579
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git...
http://stealth.openwall.net/xSports/clown-newuser.c
http://comments.gmane.org/gmane.comp.security.oss.general...

If upstream had any security sense, they wouldn't have removed the privilege checks for creating user namespaces despite the code clearly not being ready for such a change. Grsecurity put the privilege checks back ever since they were removed and avoided this entire mess. I don't see how the creation of nearly arbitrarily-deep user namespaces by unprivileged users is of such importance in the present time to be putting systems at risk for what Ubuntu and others promote as a security feature.

-Brad

to post comments

The trouble with dropping groups

Posted Nov 20, 2014 23:54 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

I'm aware of other problems yes.
I just wanted to be clear on this to the list.

But yes I'm not up to speed on state of the art on containers as much as I would like to be, can't seem to scope playing with it as relevant to my current paying gig... unless you can point me to containers that work with qnx.

-jef


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds