The trouble with dropping groups

Posted Nov 20, 2014 22:05 UTC (Thu) by jspaleta (subscriber, #50639)
Parent article: The trouble with dropping groups

So that namespacing wrinkle with groups...that impacts the security of unprivileged containers that some vendors are now advertising as a feature?

-jef

The trouble with dropping groups

Posted Nov 20, 2014 23:37 UTC (Thu) by spender (guest, #23067) [Link] (1 responses)

There have been at least a dozen vulnerabilities caused by the existence of unprivileged user namespaces by now, so if this is the first one to draw your attention, you're a bit late to the game ;) It's so obviously bad that it's become a running joke on my Twitter.

Just a small sampling of the vulns:
http://article.gmane.org/gmane.linux.network/283310
http://thread.gmane.org/gmane.linux.file-systems/89076
https://lkml.org/lkml/2013/3/14/579
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git...
http://stealth.openwall.net/xSports/clown-newuser.c
http://comments.gmane.org/gmane.comp.security.oss.general...

If upstream had any security sense, they wouldn't have removed the privilege checks for creating user namespaces despite the code clearly not being ready for such a change. Grsecurity put the privilege checks back ever since they were removed and avoided this entire mess. I don't see how the creation of nearly arbitrarily-deep user namespaces by unprivileged users is of such importance in the present time to be putting systems at risk for what Ubuntu and others promote as a security feature.

-Brad

The trouble with dropping groups

Posted Nov 20, 2014 23:54 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

I'm aware of other problems yes.
I just wanted to be clear on this to the list.

But yes I'm not up to speed on state of the art on containers as much as I would like to be, can't seem to scope playing with it as relevant to my current paying gig... unless you can point me to containers that work with qnx.

-jef