Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host
Hi,
On Tue, Jul 08, 2014 at 05:30:48PM +0100, Ben Hutchings wrote:
> On Tue, 2014-07-08 at 16:33 +0200, Łukasz Stelmach wrote:
> > Package: src:linux
> > Version: 3.2.60-1+deb7u1
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > tl;dr: init in a container (PID namespace) can call reboot(2) and
> > shutdown the host machine.
>
> Yes, and you need real user namespaces (as introduced in Linux 3.7) to
> prevent this.
>
> > Please refer to [1] for a detailed description of symptoms.
> >
> > After some investigation and thanks to help received from systemd
> > developers I can tell the problems can be solved by applying [2] to the
> > kernel. The patch is relatively old, it has been released only three
> > months after 3.2.0 so I hope applying it wouldn't be a problem.
> [...]
>
> This change seems to make containers work better, but it does not
> improve security. I'm not sure whether this is sufficient justification
> for a stable update. Please can you ask the stable release team
> (debian-release@lists.debian.org) to consider this.
I'm still inclinded to close this bug now, would you agree?
Regards,
Salvatore
Reply to: