https://lwn.net/Articles/671641/ This is a special feed containing comments posted to the individual LWN article titled "User namespaces + overlayfs = root privileges". en-us Sun, 02 Nov 2025 00:00:33 +0000 Sun, 02 Nov 2025 00:00:33 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/671990/ https://lwn.net/Articles/671990/ butlerm <div class="FormattedComment"> Wouldn't it be safer to ignore SUID / SGID bits if the file in question lacked a UUID in an extended attribute that matched a UUID assigned to the corresponding superuser or group, respectively?<br> <p> Then presumably a user in one namespace could mount a filesystem created in a different namespace (possibly on a different system), and the security bits in question would be silently ignored, for failure to match the corresponding security identifiers?<br> <p> And if you really wanted those bits to take effect, you would go change the extended attributes to match the UUIDs of the superuser and/or group in the appropriate name space? <br> </div> Fri, 15 Jan 2016 01:29:21 +0000 https://lwn.net/Articles/671942/ https://lwn.net/Articles/671942/ nybble41 <div class="FormattedComment"> <font class="QuotedText">&gt; The step that seems most surprising to me is that a process in namespace A is affected by the setuid bit on a file in namespace B; I'd expect the VFS to treat files from a namespace not in your ancestry as if they were on a nosuid,nodev mount.</font><br> <p> I would expect SUID/SGID files in subordinate namespaces to work normally, with the caveat that they are SUID/SGID to the corresponding unprivileged user and/or group outside the namespace and not the privileged user/group they appear to belong to inside the namespace. Note that normal users can create SUID/SGID binaries if they have write access to any non-nosuid filesystem; they just can't make them SUID to other users or groups of which they are not members, such as root. It is perfectly possible to create a binary which can be run by other users with your own UID and/or one of your groups (something to look out for if you're trying to revoke permissions).<br> <p> Forcing nodev for filesystems mounted by users who are not privileged in the root namespace does make a lot of sense, however. I would go so far as to say that it ought to be the default, with root namespace privileges required to enable device support. In most systems there are only two filesystems which should contain device nodes: /dev and /dev/pts.<br> </div> Thu, 14 Jan 2016 18:48:25 +0000 https://lwn.net/Articles/671935/ https://lwn.net/Articles/671935/ iabervon <div class="FormattedComment"> The step that seems most surprising to me is that a process in namespace A is affected by the setuid bit on a file in namespace B; I'd expect the VFS to treat files from a namespace not in your ancestry as if they were on a nosuid,nodev mount.<br> <p> On the other hand, the fact that it's possible to look into another namespace, but it's not obvious that you can, is a poor situation; it's hard to remember the security design when some things that are not actually prohibited are hard or awkward to do.<br> </div> Thu, 14 Jan 2016 17:46:43 +0000 https://lwn.net/Articles/671821/ https://lwn.net/Articles/671821/ alexl <div class="FormattedComment"> Not to mention that debian requires you to explicitly enable the kernel.unprivileged_userns_clone sysctl for non-privileged user namespace support, and the fact that even then you can't mount overlayfs (see erics comment above).<br> <p> </div> Thu, 14 Jan 2016 08:25:01 +0000 https://lwn.net/Articles/671803/ https://lwn.net/Articles/671803/ clopez <div class="FormattedComment"> OverlayFS was introduced in <a href="https://git.kernel.org/linus/e9be9d">https://git.kernel.org/linus/e9be9d</a> (v3.18-rc2)<br> <p> So it don't affects any kernel &lt; 3.18.<br> Debian stable has 3.16<br> </div> Thu, 14 Jan 2016 02:30:47 +0000 https://lwn.net/Articles/671777/ https://lwn.net/Articles/671777/ nybble41 <div class="FormattedComment"> <font class="QuotedText">&gt; The exploit uses another property of namespaces that has always seemed like something of a bug: the /proc filesystem provides a route for processes outside of a namespace to "see" inside it.</font><br> <p> This actually seems to me like the normal and expected operation of a namespace: processes outside the namespace can see into it, but processes inside the namespace cannot see out. It wouldn't make sense, for example, for a process to be able to create a PID namespace to hide child processes from the original user. Running processes inside a namespace is about limiting those processes, not the ones outside the namespace. Of course, everything needs to be translated properly so that outside processes looking into a namespace see the correct user IDs and so forth.<br> <p> As for the issue of tricking mount—or probably any number of other programs—into writing to an inherited file descriptor for a SUID file, wouldn't it make more sense to revoke the SUID bit when the file is first opened for write access by a non-root process, rather than waiting until data is actually written? The target program wouldn't even need to be SUID, if it can receive file descriptors from non-root processes some other way. Unix domain sockets (as used in DBUS) come to mind as a possible attack vector.<br> </div> Wed, 13 Jan 2016 21:55:48 +0000 https://lwn.net/Articles/671774/ https://lwn.net/Articles/671774/ ebiederm <div class="FormattedComment"> Mainline kernels are not affected as they do not allow mounting overlayfs with only user namespace privilege. Only Ubuntu was affected.<br> <p> The mainline commit messages not talking about a problem which does not and did not exist in the kernel that was being modified seems reasonable in that context.<br> </div> Wed, 13 Jan 2016 21:23:15 +0000