User namespaces
User namespaces
Posted Sep 17, 2015 20:55 UTC (Thu) by ebiederm (subscriber, #35028)In reply to: Quotes of the week by spender
Parent article: Quotes of the week
What user namespaces are is a way to get around the ancient unix design bug which is setuid root applications. That design bug resulted in new kernel features being only available to the root user because of legitimate concerns of confusing setuid root applications.
Unfortunately code that is semantically reasonable for a non-root user to use if it was not for setuid-root applications typically has not been looked at closely, and contain bugs in the corner cases that people do not use.
And of course by it's very nature of dealing with security credentials practically any bug is a security issue.
I am human and I have made mistakes. I do not see those mistakes rising to the level of utter recklessness alleged.
For the primary use case of having a root user in a container user namespaces make things better.
If you have no need for new fangled features anything new is always unnecessary.
It is also true I have not found many of the security issues that have been found in the released code. What responsoble person releases code that has issues they know of. Most bugs in released software are in fact found by someone other than the developer.
If anyone has any strong feelings or concerns about the code please feel free to reach out to me. I am a finite human being with finite knowledge, creativity and time in which I endeavour to do the best thay I can. So I am happy to make improvements.
Posted Sep 17, 2015 21:43 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (9 responses)
Is this true? If a container is running some well-written code as root, there's no security concern - I can't subvert the code running as root to do what I want, so I'm left with whatever unprivileged execution paths I have within that container. With user namespaces all I need is unprivileged code execution in order to become "root", and as we've seen that has opened up various other avenues of attack.
Posted Sep 19, 2015 10:02 UTC (Sat)
by ebiederm (subscriber, #35028)
[Link] (8 responses)
Droppping a few capability bits and denying access to /proc files does not help much. User namespaces help a bit more.
Posted Sep 19, 2015 16:53 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (7 responses)
Posted Sep 21, 2015 8:08 UTC (Mon)
by ortalo (guest, #4654)
[Link] (6 responses)
But well, we should really all sit down around a table (possibly several tables), make a strong skill-oriented and trust-oriented screening check of everyone involved, and force each table to agree upon a modern set of security features for 21st century operating systems.
Maybe every group would come up with differents sets of features (esp. behind governemental closed doors) but at least we could go towards development-oriented people with a consistent security features set and without the permanent impression that the old (security) reference monitors of the 70s were more advanced than current software.
Or maybe I should just write mines somewhere for an (improbable) posterity...
Posted Sep 22, 2015 19:13 UTC (Tue)
by walex (guest, #69836)
[Link] (5 responses)
That's the consequence of not understanding the UNIX protection model well. Also it is a consequence of one of the major design flaws in that protection model too, the lack of distinction between effective and real user/group ids for inode ownership, not just for processes. I have written a suitable summary here. That design flaw makes things harder, not impossible, though. That impression is entirely valid, current state of the art in OS design, and not just security architectures, has greatly regressed, largely thanks to Linux developers (many of whom seem to regard reading a few decades of extensive literature as something only cowards would do) who worship the Microsoft way, towards the early 60s (at best!), where MS-Windows NT mostly resides.
Posted Sep 22, 2015 19:40 UTC (Tue)
by pizza (subscriber, #46)
[Link] (1 responses)
[ citation needed ]
Posted Sep 23, 2015 14:27 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
Posted Sep 22, 2015 20:20 UTC (Tue)
by zlynx (guest, #2285)
[Link] (1 responses)
Your game client needs to download updates? Well, you could create a group and assign permissions to it ... nahhh, go Administrator!
Posted Oct 11, 2015 9:25 UTC (Sun)
by Fowl (subscriber, #65667)
[Link]
Hurrah world writable binaries!
They have a system service as well, but I have no idea what it's used for because updates only occur whilst the client is running and installing a game still prompts for Admin credentials,. Installing software system wide probably /should/ require the permission of an administrator after all...
Hmm this has turned into a bit of a rant.
Posted Sep 22, 2015 20:26 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Sep 20, 2015 19:43 UTC (Sun)
by pbonzini (subscriber, #60935)
[Link]
User namespaces
User namespaces
User namespaces
User namespaces
Under Unix, I thought the consensus was to try to reduce the needed setuid programs to a small and very controlled set. Like an annoying heritage.
It's not a criticism at all by the way. You are offering new features and visibly taking care of their security; that's already a lot.
User namespaces
Under Unix, I thought the consensus was to try to reduce the needed setuid programs to a small and very controlled set. Like an annoying heritage.
without the permanent impression that the old (security) reference monitors of the 70s were more advanced than current software.
User namespaces
User namespaces
User namespaces
User namespaces
User namespaces
How can inode ownership make it possible to run utilities like "ping"?
User namespaces