Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Aug 2016 15:04:50 -0400
From: Daniel J Walsh <dwalsh@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: cve request: systemd-machined: information
 exposure for docker containers



On 08/10/2016 03:00 PM, CAI Qian wrote:
>
> ----- Original Message -----
>> From: "Daniel J Walsh" <dwalsh@...hat.com>
>> To: oss-security@...ts.openwall.com
>> Sent: Wednesday, August 3, 2016 3:27:00 AM
>> Subject: Re: [oss-security] cve request: systemd-machined: information exposure for docker containers
>>
>>
>>
>> On 08/01/2016 12:24 PM, Shiz wrote:
>>>> On 28 Jul 2016, at 16:42, Simon McVittie <smcv@...ian.org> wrote:
>>>>
>>>> *Which* unprivileged user processes?
>>>>
>>>> If the unprivileged user processes are not in a container, they can get a
>>>> significant amount of the same information by reading the host's /proc.
>>> Except if a host is running with hidepid={1,2}, which is not entirely
>>> uncommon
>>> especially in hardened systems. In that regard it /does/ qualify as
>>> infoleak.
>>>
>>> - Shiz
>> Then simply rpm -e oci-register-machine
>>
> Except people can't do that in OSes like atomic host.
>    CAI Qian
But people do not tend to have non privileged users logged into atomic host.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ