Re: user namespaces: user mapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mike Frysinger wrote on 11/17/2015 05:32 AM:

On 17 Nov 2015 00:41, U.Mutlu wrote:

I did some research on the net, and the findings are:
   - user namespaces have their own security holes


there are no known security issues.  like all new code, there were some edge
cases in the original implementation, but they've been fixed since.  the only
thing left is that people don't like the new attack surface and inherently
distrust it.  but that's not the same thing as there being known security holes.


see below


   - a workaround exists, but then a new problem happens: loop devices cannot
be accessed


loop devices are merely files which are owned by the root user.  not being able
to open files owned by the "real" root is to be expected.


Does the user need to create his own loop device(s)?


you need to have the system/root chown them as the user before doing anything
else.  sucks, but that's currently how it works.
Come on, what about the other users and the system itself, as they need them too... 


 would be nice if someone
looked into making it more accessible to users.  maybe others on this list are
aware of ongoing work.


Hmm. it looks like there is (currently?) a big mess with user namespaces:
https://code.google.com/p/chromium/issues/detail?id=457362


no, no there is not
This is an excerpt from a recent posting (Oct-17) in the containers newsgroup you posted the link here ( http://lists.linuxfoundation.org/pipermail/containers/2015-October/036333.html ), cite: 

|>>> Linux 3.8 saw the introduction of unpriviledged user namespaces,
|>>> allowing unpriviledged users (without CAP_SYS_ADMIN) to be a "fake" root
|>>> inside a separate user namespace. Before that, any namespace creation
|>>> required CAP_SYS_ADMIN (or, in practice, the user had to be root).
|>>> Unfortunately, there have been some security-relevant bugs in the
|>>> meantime. Because of the fairly complex nature of user namespaces, it is
|>>> reasonable to say that future vulnerabilties can not be excluded. Some
|>>> distributions even wholly disable user namespaces because of this.

user namespaces is not mature yet.


--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux