• E
    userns: Require CAP_SYS_ADMIN for most uses of setns. · 5e4a0847
    Eric W. Biederman 提交于
    Andy Lutomirski <luto@amacapital.net> found a nasty little bug in
    the permissions of setns.  With unprivileged user namespaces it
    became possible to create new namespaces without privilege.
    
    However the setns calls were relaxed to only require CAP_SYS_ADMIN in
    the user nameapce of the targed namespace.
    
    Which made the following nasty sequence possible.
    
    pid = clone(CLONE_NEWUSER | CLONE_NEWNS);
    if (pid == 0) { /* child */
    	system("mount --bind /home/me/passwd /etc/passwd");
    }
    else if (pid != 0) { /* parent */
    	char path[PATH_MAX];
    	snprintf(path, sizeof(path), "/proc/%u/ns/mnt");
    	fd = open(path, O_RDONLY);
    	setns(fd, 0);
    	system("su -");
    }
    
    Prevent this possibility by requiring CAP_SYS_ADMIN
    in the current user namespace when joing all but the user namespace.
    Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
    5e4a0847
namespace.c 68.2 KB