| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210628121729.xsbm63b5lxpsvhbu@wittgenstein>
Date: Mon, 28 Jun 2021 14:17:29 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: menglong8.dong@...il.com
Cc: mcgrof@...nel.org, keescook@...omium.org, yzaikin@...gle.com,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Yang Yang <yang.yang29@....com.cn>,
Zeal Robot <zealci@....com.cn>
Subject: Re: [PATCH] sysctl: fix permission check while owner isn't
GLOBAL_ROOT_UID
On Fri, Jun 25, 2021 at 01:33:38AM -0700, menglong8.dong@...il.com wrote:
> From: Yang Yang <yang.yang29@....com.cn>
>
> With user namespace enabled, root in container can't modify
> /proc/sys/net/ipv4/ip_forward. While /proc/sys/net/ipv4/ip_forward
> belongs to root and mode is 644. Since root in container may
> be non-root in host, but test_perm() doesn't consider about it.
I'm confused about what the actual problem is tbh:
root@h3:~# stat -c "%A %a %n" /proc/sys/net/ipv4/ip_forward
-rw-r--r-- 644 /proc/sys/net/ipv4/ip_forward
root@h3:~# echo 0 > /proc/sys/net/ipv4/ip_forward
root@h3:~# cat /proc/sys/net/ipv4/ip_forward
0
root@h3:~# cat /proc/self/uid_map
0 100000 1000000000
Also, this patch changes the security requirements for all sysctls which
is unfortunately unacceptable.
Powered by blists - more mailing lists