From: "Serge E. Hallyn" <serge@hallyn.com>
To: Colin Walters <walters@verbum.org>
Cc: Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-kernel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Alexander Larsson <alexl@redhat.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Stephane Graber <stgraber@ubuntu.com>,
Seth Forshee <seth.forshee@canonical.com>
Subject: Re: Thoughts on tightening up user namespace creation
Date: Wed, 9 Mar 2016 13:21:03 -0600 [thread overview]
Message-ID: <20160309192103.GA2523@mail.hallyn.com> (raw)
In-Reply-To: <1457549467.650797.544465346.49653120@webmail.messagingengine.com>
Quoting Colin Walters (walters@verbum.org):
> On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
> > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> > > Hi all-
> > >
> > > There are several users and distros that are nervous about user
> > > namespaces from an attack surface point of view.
> > >
> > > - RHEL and Arch have userns disabled.
> > >
> > > - Ubuntu requires CAP_SYS_ADMIN
> > >
> > > - Kees periodically proposes to upstream some sysctl to control
> > > userns creation.
> >
> > And here's another ring0 escalation flaw, made available to
> > unprivileged users because of userns:
> >
> > https://code.google.com/p/google-security-research/issues/detail?id=758
>
> Looks like Andy won't have to eat his hat ;)
>
> > The change in attack surface is _substantial_. We must have a way to
> > globally disable userns.
>
> No one would object if it was enabled but only accessible to
> CAP_SYS_ADMIN though, right? This could be useful for
I think that would be terrible. I'd have to expose all of CAP_SYS_ADMIN
to allow use of CLONE_NEWUSER. I'd be more interested in a new CAP_NEWUSER
capability. Then systems wanting to support unprivileged users doing user
namespaces could set a pam module giving certain users that cap in pI, and
set it on fI on their container managers. Userspace has to give access to
mapped uids through /etc/subuid too, so it's not *so* huge added hurdle.
Well that's not quite true - with empty subuid, users can create a userns
with no mapped userids which in itself is useful for sandboxing.
The biggest problem with a CAP_NEWUSER would be that it's more inherently
permanent than a new sysctl. The increase in attack surface is real, but
over time I'd like to think that we will have dealt with it and should be
able to make CLONE_NEWUSER unprivileged. Because what we have is an
implementation issue (not in user namespaces), not a design issue.
And I do agree the issue is real.
-serge
next prev parent reply other threads:[~2016-03-09 19:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 5:15 Thoughts on tightening up user namespace creation Andy Lutomirski
2016-03-08 6:06 ` Serge E. Hallyn
2016-03-08 18:31 ` Andy Lutomirski
2016-03-08 22:41 ` Serge E. Hallyn
2016-03-08 10:05 ` Alexander Larsson
2016-03-08 16:31 ` Eric W. Biederman
2016-03-09 18:14 ` Kees Cook
2016-03-09 18:51 ` Colin Walters
2016-03-09 19:04 ` Austin S. Hemmelgarn
2016-03-09 19:21 ` Serge E. Hallyn [this message]
2016-03-09 19:25 ` Kees Cook
2016-03-09 19:07 ` Serge E. Hallyn
2016-03-09 19:12 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160309192103.GA2523@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=alexl@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge.hallyn@ubuntu.com \
--cc=seth.forshee@canonical.com \
--cc=stgraber@ubuntu.com \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).