thoughts? (patch is on top of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git#next) thanks, -serge Subject: [PATCH] user namespaces: require cap_set{ug}id for CLONE_NEWUSER While ideally CLONE_NEWUSER will eventually require no privilege, the required permission checks are currently not there. As a result, CLONE_NEWUSER has the same effect as a setuid(0)+setgroups(1,"0"). While we already require CAP_SYS_ADMIN, requiring CAP_SETUID and CAP_SETGID seems appropriate. Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> --- kernel/fork.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) 32c36be0621dba3bf05af3d2df843ce803d25831 diff --git a/kernel/fork.c b/kernel/fork.c index 1dd8945..e3a85b3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1344,7 +1344,8 @@ long do_fork(unsigned long clone_flags, /* hopefully this check will go away when userns support is * complete */ - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) || + !capable(CAP_SETGID)) return -EPERM; } -- 1.1.6 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers