Mike Frysinger wrote on 11/16/2015 05:19 AM:
On 16 Nov 2015 03:26, U.Mutlu wrote:
I'm proposing that "unshare -m" should not be a privileged option,
what you're asking for is not coming from util-linux. unshare is merely an
interface to the unshare() syscall. if you dislike the security semantics
there, you can post to the namespace mailing list:
https://lists.linuxfoundation.org/mailman/listinfo/containers
Therefore the -m option (and maybe even most of the other options) of unshare
should be made to work for users, without needing root permission.
they do already -- with user namespaces. if you give people the ability to
mount anything in the existing mount namespace, you open up attacks:
- create an ext2 fs as the user with some setuid programs
- create a new mount namespace
- mount that image
- instant root
I think there is a 'misunderstanding': it happens earlier, ie. when doing
"unshare -m bash" then you already become root in the new shell.
It has nothing to do with ext2 or the mount.
As I already said: solution to this problem is:
chmod u+s unshare
and starting the unshare cmd unpriviledged (ie. as user) and directly (ie. not
via sudo).
But the bind-mount danger (vuln) still remains.
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
