07.05.2024 10:50, Aleksa Sarai пишет:
If you are a privileged process which plans to change users,
Not privileged at all. But I think what you say is still possible with userns?
A new attack I just thought of while writing this mail is that because there is no RESOLVE_NO_XDEV requirement, it should be possible for the process to get an arbitrary write primitive by creating a new userns+mountns and then bind-mounting / underneath the directory.
Doesn't this need a write perm to a directory? In his case this is not a threat, because you are not supposed to have a write perm to that dir. OA2_CRED_INHERIT is the only way to write.
