From: "U.Mutlu" <for-gmane@mutluit.com>
To: util-linux@vger.kernel.org
Subject: Re: user namespaces: user mapping
Date: Tue, 17 Nov 2015 06:25:42 +0100 [thread overview]
Message-ID: <n2edon$mfu$1@ger.gmane.org> (raw)
In-Reply-To: <20151117043229.GH31395@vapier.lan>
Mike Frysinger wrote on 11/17/2015 05:32 AM:
> On 17 Nov 2015 00:41, U.Mutlu wrote:
>> I did some research on the net, and the findings are:
>> - user namespaces have their own security holes
>
> there are no known security issues. like all new code, there were some edge
> cases in the original implementation, but they've been fixed since. the only
> thing left is that people don't like the new attack surface and inherently
> distrust it. but that's not the same thing as there being known security holes.
see below
>> - a workaround exists, but then a new problem happens: loop devices cannot
>> be accessed
>
> loop devices are merely files which are owned by the root user. not being able
> to open files owned by the "real" root is to be expected.
>
>> Does the user need to create his own loop device(s)?
>
> you need to have the system/root chown them as the user before doing anything
> else. sucks, but that's currently how it works.
Come on, what about the other users and the system itself, as they need them
too...
> would be nice if someone
> looked into making it more accessible to users. maybe others on this list are
> aware of ongoing work.
>
>> Hmm. it looks like there is (currently?) a big mess with user namespaces:
>> https://code.google.com/p/chromium/issues/detail?id=457362
>
> no, no there is not
This is an excerpt from a recent posting (Oct-17) in the containers newsgroup
you posted the link here (
http://lists.linuxfoundation.org/pipermail/containers/2015-October/036333.html
), cite:
|>>> Linux 3.8 saw the introduction of unpriviledged user namespaces,
|>>> allowing unpriviledged users (without CAP_SYS_ADMIN) to be a "fake" root
|>>> inside a separate user namespace. Before that, any namespace creation
|>>> required CAP_SYS_ADMIN (or, in practice, the user had to be root).
|>>> Unfortunately, there have been some security-relevant bugs in the
|>>> meantime. Because of the fairly complex nature of user namespaces, it is
|>>> reasonable to say that future vulnerabilties can not be excluded. Some
|>>> distributions even wholly disable user namespaces because of this.
user namespaces is not mature yet.
next prev parent reply other threads:[~2015-11-17 5:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-16 2:26 unshare -m should not be a privileged option U.Mutlu
2015-11-16 4:19 ` Mike Frysinger
2015-11-16 15:43 ` user namespaces: user mapping U.Mutlu
2015-11-16 23:41 ` U.Mutlu
2015-11-17 4:32 ` Mike Frysinger
2015-11-17 5:25 ` U.Mutlu [this message]
2015-11-17 20:58 ` Mike Frysinger
2015-11-17 6:54 ` unshare -m should not be a privileged option U.Mutlu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='n2edon$mfu$1@ger.gmane.org' \
--to=for-gmane@mutluit.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.