Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Nov 2014 10:43:39 -0800
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: Linux user namespaces can bypass group-based restrictions

This is a heads-up, as there is no fix right now.

On Linux, if you can unshare your user namespace (which is the case on
many distributions), then you can map your fsuid and fsgid into the
new namespace and, inside that namespace, drop all of your other
groups.

This may allow you to access files protected by POSIX ACLs as "other",
even if the ACL should have prohibited it based on one of your
supplementary group IDs.

This does not appear to allow you to violate negative sudoers
group entries and the like, since sudo(8) would be confined to the
user namespace as well and will therefore not gain privilege.

To those who care about credit: this was discovered by some
combination of me, Theodore Ts'o, Eric Biederman, Alan Cox, and Casey
Schaufler.

See here for some more discussion:
http://thread.gmane.org/gmane.linux.man/7385/

Disabling CONFIG_USER_NS works around this issue.

--Andy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.