Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 11:44:14 -0400
From: Eric Windisch <eric@...disch.us>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: USERNS allows circumventing MNT_LOCKED

In October 2014, Andrey Vagin reported[1] to the Linux Containers list that
it would be possible to use user namespaces to circumvent MNT_LOCKED and
allow unprivileged users to access the directory structure underneath of
mounts. A PoC was also produced and is public.

Patches are now available and proposed to Linus[2].

This may not simply be information disclosure, but containerized
environments may through chroot and mount namespaces mask directory
structures as read-only or inaccessible via the use of bind-mounts. Such
read-only masking may be circumvented by this vulnerability on systems
where these directories are not otherwise protected by MAC (i.e. SELinux or
AppArmor).

Regards,
Eric Windisch

[1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs
[2] http://www.spinics.net/lists/linux-containers/msg30786.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ