On Fri, Dec 28, 2012 at 20:05 -0800, Eric W. Biederman wrote:
> Vasily Kulikov <segoon@xxxxxxxxxxxx> writes:
>
> > Currently there is completely no limiting in number of user namespaces
> > created by unprivileged users. One can freely create thousands of
> > user_ns'es and exhaust kernel memory without even bumping in
> > RLIMIT_NPROC or similar.
>
> First for a proper sense of scale it will take roughly 14,000 to consume
> a megabyte. So it will take hundreds of millions of user namespaces to
> eat up all of kernel memory.
Yes, but you can freely create *any* number of nested userns by a loop:
for() {
unshare()
write to /proc/self/{u,g}id_map
}
> > The code needs several checks. First, noone should be able to create
> > user_ns of arbitrary depth. Besides kernel stack overflow one could
> > create too big depth to DoS processes belonging to other users by
> > forcing them to loop a long time in cap_capable called from some
> > ns_capable() (e.g. in case one does smth like "ls -R /proc").
>
> Where do you get a ns_capable call from "ls -R /proc" ?
E.g. if procfs is mounted with hidepid=2 then ls does
ptrace_may_access() check.
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
