| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87io2degsu.fsf@x220.int.ebiederm.org> Date: Thu, 28 Jan 2016 11:48:33 -0600 From: ebiederm@...ssion.com (Eric W. Biederman) To: Kees Cook <keescook@...omium.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, Al Viro <viro@...iv.linux.org.uk>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Andy Lutomirski <luto@...nel.org>, "Austin S. Hemmelgarn" <ahferroin7@...il.com>, Richard Weinberger <richard@....at>, Robert Święcki <robert@...ecki.net>, Dmitry Vyukov <dvyukov@...gle.com>, David Howells <dhowells@...hat.com>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH v2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook <keescook@...omium.org> writes: > + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) && > + capable(CAP_SETUID) && > + capable(CAP_SETGID))) > + return -EPERM; > + I will also note that the way I have seen containers used this check adds no security and is not mentioned or justified in any way in your patch description. Furthermore this looks like blame shifting. And quite frankly shifting the responsibility to users if they get hacked is not an acceptable attitude. Eric
Powered by blists - more mailing lists