Date: Tue, 26 Jan 2016 15:13:29 -0800 From: Kees Cook <keescook@...omium.org> To: Serge Hallyn <serge.hallyn@...ntu.com> Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Andrew Morton <akpm@...ux-foundation.org>, Al Viro <viro@...iv.linux.org.uk>, Richard Weinberger <richard@....at>, Robert Święcki <robert@...ecki.net>, Dmitry Vyukov <dvyukov@...gle.com>, David Howells <dhowells@...hat.com>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: Re: [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled On Tue, Jan 26, 2016 at 9:15 AM, Serge Hallyn <serge.hallyn@...ntu.com> wrote: > Quoting Josh Boyer (jwboyer@...oraproject.org): >> What you're saying is true for the "oh crap" case of a new userns >> related CVE being found. However, there is the case where sysadmins >> know for a fact that a set of machines should not allow user >> namespaces to be enabled. Currently they have 2 choices, 1) use their > > Hi - can you give a specific example of this? (Where users really should > not be able to use them - not where they might not need them) I think > it'll help the discussion tremendously. Because so far the only good > arguments I've seen have been about actual bugs in the user namespaces, > which would not warrant a designed-in permanent disable switch. If > there are good use cases where such a disable switch will always be > needed (and compiling out can't satisfy) that'd be helpful. My example is a machine in a colo rack serving web pages. A site gets attacked, and www-data uses user namespaces to continue their attack to gain root privileges. The admin of such a machine could have disabled userns months earlier and limited the scope of the attack. -Kees -- Kees Cook Chrome OS & Brillo Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.