Re: CLONE_NEWUSER|CLONE_FS root exploit
[Posted March 20, 2013 by mkerrisk]
| From: |
| ebiederm-aS9lmoZGLiVWk0Htik3J/w-AT-public.gmane.org (Eric W. Biederman) |
| To: |
| Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw-AT-public.gmane.org> |
| Subject: |
| Re: CLONE_NEWUSER|CLONE_FS root exploit |
| Date: |
| Wed, 13 Mar 2013 11:35:15 -0700 |
| Message-ID: |
| <87r4jjkv18.fsf@xmission.com> |
| Cc: |
| Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA-AT-public.gmane.org>,
Sebastian Krahmer <krahmer-l3A5Bk7waGM-AT-public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA-AT-public.gmane.org, Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org> |
| Archive‑link: | |
Article |
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
> Hi,
>
> It seem like we should block (at least) this combination. On 3.9, this
> exploit works once uidmapping is added.
>
> http://www.openwall.com/lists/oss-security/2013/03/13/10
Yes. That is a bad combination. It let's chroot confuse privileged
processes.
Now to figure out if this is easier to squash by adding a user_namespace
to fs_struct or by just forbidding this combination.
Eric
