On Tue, 2021-06-15 at 13:04 +0200, HolyTaint wrote: > I stumbled upon this answer from three years ago ( > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446) > "User namespaces *are* enabled - but by default, they can only be > created by root". Note that this default has been changed in the kernel version available in testing/unstable. > I need clarifications on that, cause I didn't quite know how > namespace management works. > I experimented a bit, from what I got it creates a namespace > originating from the user asking it, and using it as normal user was > disabled by default because it clearly adds lots of attack surface by > exposing code that would normally be used by just root. Also in this > little space there is a mapping between namespace users and > originating user > > What I didn't quite got is, does this patch allow creating namespaces > belonging to an user from root, thus avoiding the possibility of > privilege escalation, or having user namespaces running from > unprivileged users is a threat by itself? [...] If by "belonging to a user" you mean "user appears as uid 0 inside the user namespace, and may have some capabilities there" - then yes, it is possible for root to create a user namespace belonging to another user. (I don't know exactly how to do that, though.) Ben. -- Ben Hutchings The program is absolutely right; therefore, the computer must be wrong.
Attachment:
signature.asc
Description: This is a digitally signed message part