| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jul 2011 14:22:23 +0200 From: Arkadiusz Miskiewicz <a.miskiewicz@...il.com> To: linux-kernel@...r.kernel.org Cc: "Serge E. Hallyn" <serge.hallyn@...onical.com>, Herbert Poetzl <herbert@...hfloor.at> Subject: 3.0: user namespace problem with capabilities Hi, linux-vserver guys think that there is a problem with user namespace in upcoming 3.0 "this is a mainline/upstream bug, which basically happens when unsharing the USER namespace. what happens is that all capabilities are dropped, and as result, the userspace tool cannot issue Linux-VServer syscall commands anymore (because of missing CAP_CONTEXT)" "this can be verified on vanilla linux-3.0 kernels with http://vserver.13thfloor.at/Stuff/clone_newuser.c in the following way: gcc -o clone_newuser clone_newuser.c ./clone_newuser ls /root/ assuming that /root does not have any right for 'other' this will result in a permission denied (when the USER namespace is compiled into the kernel)" Whole post: http://list.linux-vserver.org/archive?msp:5151:ekldgndhkgmehnehiegi What's maintainers opinion on this? -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists