| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrUx_O7Uiyxjs8H++bAR34dSvWny+HsVzXasCVE9wHFGFA@mail.gmail.com> Date: Tue, 8 Mar 2016 10:31:45 -0800 From: Andy Lutomirski <luto@...capital.net> To: Serge Hallyn <serge.hallyn@...ntu.com> Cc: Stephane Graber <stgraber@...ntu.com>, Colin Walters <walters@...bum.org>, Kees Cook <keescook@...omium.org>, Linux Containers <containers@...ts.linux-foundation.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Seth Forshee <seth.forshee@...onical.com>, Alexander Larsson <alexl@...hat.com> Subject: Re: Thoughts on tightening up user namespace creation On Mar 7, 2016 10:06 PM, "Serge E. Hallyn" <serge.hallyn@...ntu.com> wrote: > > On Mon, Mar 07, 2016 at 09:15:25PM -0800, Andy Lutomirski wrote: > > - Ubuntu requires CAP_SYS_ADMIN > > No, it does not. It has temporarily re-added a sysctl which can enable > that behavior, but it's not set by default. The reason for providing it > is not a distrust of user namespaces in general, but because we're enabling > some bleeding edge patches which haven't been accepted upstream yet. Once > they're accepted upstream I expect that patch to be dropped again, unless > it has gone upstream. > > Debian does afaik still have a version of a patch I'd originally written > before user namespaces were upstream which defaulted unprivileged userns > cloning to off. Did you mean Debian here? I meant Ubuntu 14.04, which I tested, possibly poorly.
Powered by blists - more mailing lists