On Tue, Jan 26, 2016 at 9:15 AM, Serge Hallyn <serge.hallyn@xxxxxxxxxx> wrote: > Quoting Josh Boyer (jwboyer@xxxxxxxxxxxxxxxxx): >> What you're saying is true for the "oh crap" case of a new userns >> related CVE being found. However, there is the case where sysadmins >> know for a fact that a set of machines should not allow user >> namespaces to be enabled. Currently they have 2 choices, 1) use their > > Hi - can you give a specific example of this? (Where users really should > not be able to use them - not where they might not need them) I think > it'll help the discussion tremendously. Because so far the only good > arguments I've seen have been about actual bugs in the user namespaces, > which would not warrant a designed-in permanent disable switch. If > there are good use cases where such a disable switch will always be > needed (and compiling out can't satisfy) that'd be helpful. My example is a machine in a colo rack serving web pages. A site gets attacked, and www-data uses user namespaces to continue their attack to gain root privileges. The admin of such a machine could have disabled userns months earlier and limited the scope of the attack. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
