2016-01-28 18:48 GMT+01:00 Eric W. Biederman :
> Kees Cook writes:
>
>> + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) &&
>> + capable(CAP_SETUID) &&
>> + capable(CAP_SETGID)))
>> + return -EPERM;
>>
>> The admin of such a machine could have disabled userns months earlier
>> and limited the scope of the attack.
>
> Of course for the paranoid there is already a mechanism to do this.
> /sbin/chroot.
>
> No new user namespaces are allowed to be created inside of a chroot.
Another alternative is t
ystems I checked. On which version did you find
> that?
$ uname -a
Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1
(2016-01-07) x86_64 GNU/Linux
$ cat /etc/debian_version
8.2
IIRC some older kernels delivered with Ubuntu Precise were also using
it (but maybe I'm mistaken)
--
Ro
;
> + if (sysctl_userns_restrict == 2 ||
> + (sysctl_userns_restrict == 1 && (!capable(CAP_SYS_ADMIN) ||
> +!capable(CAP_SETUID) ||
> +!capable(CAP_SETGID
> + return -EPERM;
> +
> ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
> if (!ns)
> return -ENOMEM;
> --
> 2.6.3
>
--
Robert Święcki
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
