LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cook: seccomp filter now in Ubuntu

Cook: seccomp filter now in Ubuntu

Posted Mar 27, 2012 0:18 UTC (Tue) by luto (subscriber, #39314)
In reply to: Cook: seccomp filter now in Ubuntu by slashdot
Parent article: Cook: seccomp filter now in Ubuntu

Unprivileged users can't chroot (yet [1]) or use FS namespaces. And correctly detecting when execve(2) will run a setuid program is probably impossible except in very limited circumstances.

[1] https://git.kernel.org/?p=linux/kernel/git/luto/linux.git;... [but I doubt that patch will be accepted in its current form]

(Log in to post comments)

Cook: seccomp filter now in Ubuntu

Posted Mar 27, 2012 0:33 UTC (Tue) by slashdot (guest, #22014) [Link]

Unprivileged users have to use nnp anyway.

Privileged users, in theory, could instead want to setup a FS namespace with some setuid programs of their choice.

However, this is probably useless in practice, so indeed it may be better to avoid the risk of an accidental security hole and force nnp on.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds