"Serge E. Hallyn" <serge@xxxxxxxxxx> writes: > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): >> Serge Hallyn <serge.hallyn@xxxxxxxxxx> writes: >> >> > Quoting Daniel P. Berrange (berrange@xxxxxxxxxx): >> >> Is it not sufficient to rely on the permissions on the /proc/$PID/ns/XXX >> >> file to control access to a namespace, and thus allow setns() without >> >> a CAP_SYS_ADMIN check ? The permissions on /proc/$PID/ns/XXX are sufficient to control access but they are not ok to allow use. >> >> ie setns() is basically useless unless you >> >> already have sufficient privileges to get a file descriptor for the >> >> namespace, so why does setns need an additional privilege check beyond >> >> that done at time of open() on the proc file. To be very clear. setns requires CAP_SYS_ADMIN because changing the namespaces for your children can result in tricking a suid root application and thus lead to privilege escalation. If you run setns inside a user namespace that you control the privilege escalation is not possible and so setns is allowed. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
