Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Aug 2014 14:48:28 -0700
From: Kenton Varda <>
Subject: CVE Request: ro bind mount bypass using user namespaces

Due to a bug in the Linux kernel's implementation of remount, on systems
with unprivileged user namespaces enabled, it is possible for an
unprivileged user to gain write access to any visible read-only bind mount.
It is also possible to bypass flags like nodev, nosuid, and noexec.

This problem affects sandboxing / containerization systems that do not
expose the regular filesystem to the sandboxed process, but do expose a
bind-mounted view of that filesystem using these flags to enforce security.
This bug may enable a sandbox break-out. Sandboxes which have used
seccomp-bpf to disable the "mount" system call or to disable user
namespaces are likely safe.

Eric Biederman has proposed the following patches to fix the problem:

-Kenton Varda,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ