On 11/13/2013 11:13 PM, Daniel P. Berrange wrote: > The user namespace work gave us two new features > > - Ability to set UID/GID mappings between containers & host > - Ability for unprivileged users to create namespaces > > The first of these features is really critical to be able to make the > use of LXC secure using DAC, rather than having to rely on the use of > MAC (SELinux/AppArmour) protection. > > The second feature is a nice, but it is not critical in the same way, > since it is all about opening up new use cases, rather than securing > existing use cases. > > Both of these features are under the same CONFIG_USER_NS Kconfig setting, > so you can't get the former without also getting the latter. > > This is a problem because distro kernel maintainers are rejecting requests > to enable CONFIG_USER_NS over concern that it significantly expands the > attack surface accessible to unprivileged users. Fedora, RHEL & Arch Linux > have all rejected enabling CONFIG_USER_NS as it is due to this concern. > > This sucks, because there's a really pressing need to make the ID mapping > feature available, while there isn't much sense of urgency over allowing > unprivileged users to create namespaces. > > In Fedora I managed to get agreement to enable CONFIG_USER_NS provided > that the following patch is reverted [1] > > commit 5eaf563e53294d6696e651466697eb9d491f3946 > Author: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > Date: Mon Nov 21 17:22:31 2011 -0800 > > userns: Allow unprivileged users to create user namespaces. I don't know what's the benefit this commit brings and what's use case this commit tries to support. In most use case, the container/namespace is create by privilged user and the id-map can prevent unsafe things. IMO, I think this patch can be reverted. Thanks _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
