Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jan 2016 14:22:19 -0800
From: Andy Lutomirski <>
To: "Eric W. Biederman" <>
Cc: Kees Cook <>, Andrew Morton <>, 
	Al Viro <>, Richard Weinberger <>, 
	Robert Święcki <>, 
	Dmitry Vyukov <>, David Howells <>, 
	Miklos Szeredi <>, Kostya Serebryany <>, 
	Alexander Potapenko <>, Eric Dumazet <>, 
	Sasha Levin <>, 
	"" <>, 
	"" <>, 
	"" <>
Subject: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

On Fri, Jan 22, 2016 at 7:02 PM, Eric W. Biederman
<> wrote:
> Kees Cook <> writes:
>> There continues to be unexpected side-effects and security exposures
>> via CLONE_NEWUSER. For many end-users running distro kernels with
>> CONFIG_USER_NS enabled, there is no way to disable this feature when
>> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
>> admins not running containers or Chrome can avoid the risks of this
>> feature.
> I don't actually think there do continue to be unexpected side-effects
> and security exposures with CLONE_NEWUSER.  It takes a while for all of
> the fixes to trickle out to distros.  At most what I have seen recently
> are problems with other kernel interfaces being amplified with user
> namespaces.  AKA the current mess with devpts, and the unexpected
> issues with bind mounts in mount namespaces.

> So to keep this productive.  Please tell me about the threat model
> you envision, and how you envision knobs in the kernel being used to
> counter those threats.

I consider the ability to use CLONE_NEWUSER to acquire CAP_NET_ADMIN
over /any/ network namespace and to thus access the network
configuration API to be a huge risk.  For example, unprivileged users
can program iptables.  I'll eat my hat if there are no privilege
escalations in there.  (They can't request module loading, but still.)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.