lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Dec 2012 11:03:56 -0800 From: Andy Lutomirski <luto@...capital.net> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Linux Containers <containers@...ts.linux-foundation.org>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, "Serge E. Hallyn" <serge@...lyn.com>, David Howells <dhowells@...hat.com> Subject: Re: [PATCH 2/4] userns: Require CAP_SYS_ADMIN for most uses of setns. On Fri, Dec 14, 2012 at 2:03 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: > > Andy Lutomirski <luto@...capital.net> found a nasty little bug in > the permissions of setns. With unprivileged user namespaces it > became possible to create new namespaces without privilege. > > However the setns calls were relaxed to only require CAP_SYS_ADMIN in > the user nameapce of the targed namespace. > > Which made the following nasty sequence possible. > > pid = clone(CLONE_NEWUSER | CLONE_NEWNS); > if (pid == 0) { /* child */ > system("mount --bind /home/me/passwd /etc/passwd"); > } > else if (pid != 0) { /* parent */ > char path[PATH_MAX]; > snprintf(path, sizeof(path), "/proc/%u/ns/mnt"); > fd = open(path, O_RDONLY); > setns(fd, 0); > system("su -"); > } > > Prevent this possibility by requiring CAP_SYS_ADMIN > in the current user namespace when joing all but the user namespace. > > Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com> > --- > fs/namespace.c | 3 ++- > ipc/namespace.c | 3 ++- > kernel/pid_namespace.c | 3 ++- > kernel/utsname.c | 3 ++- > net/core/net_namespace.c | 3 ++- > 5 files changed, 10 insertions(+), 5 deletions(-) Acked-by: Andy Lutomirski <luto@...capital.net> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists