The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 10:10 UTC (Fri) by taladar (subscriber, #68407)
In reply to: The long road to a fix for CVE-2021-20316 by Cyberax
Parent article: The long road to a fix for CVE-2021-20316

Containers wouldn't really help you with servers like Samba that need to allow for different permissions for different remote users. Nor would they help for permission changes over time. In fact I would go so far as to say containers wouldn't help you with this sort of issue at all.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 13:30 UTC (Fri) by joib (subscriber, #8541) [Link] (2 responses)

Just putting samba, as is, into a docker/podman/whatever container with full permissions won't fix anything, yes.

But maybe something like when a new user connects, fork a new process to handle that user, create appropriately restricted namespaces for that process (call it a "container" if you like), and finally switch the process uid to that user?

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 16:53 UTC (Sun) by marcH (subscriber, #57642) [Link]

Sounds like https://www.infoq.com/news/2014/06/everything-google-cont...

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 19:24 UTC (Wed) by ssmith32 (subscriber, #72404) [Link]

You'd still need to deal with giving multiple users different levels of access (r/w, at least), to the same file/directory. But it would help with the directory escape bugs.