Tue, 15 Jun 2021 13:04:54 +0200 HolyTaint <holyta...@disroot.org>:
> I stumbled upon this answer from three years ago
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446)
> "User namespaces *are* enabled - but by default, they can only be created by
> root".
> I need clarifications on that, cause I didn't quite know how namespace
> management works.
> I experimented a bit, from what I got it creates a namespace originating from
> the user asking it, and using it as normal user was disabled by default
> because it clearly adds lots of attack surface by exposing code that would
> normally be used by just root. Also in this little space there is a mapping
> between namespace users and originating user
>
> What I didn't quite got is, does this patch allow creating namespaces
> belonging to an user from root, thus avoiding the possibility of privilege
> escalation, or having user namespaces running from unprivileged users is a
> threat by itself?
>
> I ask this because I'm particularly concerned about unprivileged containers
> support. While it is certainly good not having access to critical pieces of
> the linux kernel to regular UIDs it may be counterproductive in cases of a
> single user deputated just for running unprivileged containers, if there is
> no other way of creating such unprivileged namespaces
>
> If there are some infos I'm missing please explain them or link resources, I
> searched what I could but apparently it wasn't enough
>
Please give me infos on this issue. I believe it is really important for
developing solutions which make full use of the linux kernel namespace
capabilities while avoiding potential pitfalls
