3/29/2025 at 7:07:44 PM
by birdculture
3/29/2025 at 9:54:46 PM
Important caveat: this is not itself a vulnerability; you still need a kernel `CAP_SYS_ADMIN` vulnerability if you want to actually do something evil.(I also expect that if you're already in a restricted AA profile it's not easy to switch to a less-restrictive one, but I think a lot of security tools are bad at thinking about multi-process interpreters)
by o11c
3/30/2025 at 1:42:53 AM
Unprivileged user namespaces are not a security vulnerability. Ubuntu's short-sighted and reactionary decision to ban them makes systems less, not more, secure overall, since with this capability gone, it makes it that much harder for a well-behaved unprivileged program to set up a userspace sandbox. If the kernel has vulnerabilities, fix them. Don't just randomly break useful features.by quotemstr
3/30/2025 at 7:13:46 AM
Broken security boundaries are actively harmful. If you offer something that looks like a security boundary, then people will design their systems on the assumption that it does what it looks like it does. Doubly so if it is actually documented as a security feature. They will then _not_ look into alternative mechanisms to achieve their security goals, even when those alternatives exist and are less susceptible to holes.Yes, the kernel should be fixed. But until the kernel is fixed, distributions should not be enabling broken features by default.
by gizmo686
3/30/2025 at 1:05:10 PM
This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousness is making it hard for application authors to use new features and advance the state of the art. The kernel should not have random knobs for disabling new technology.> But until the kernel is fixed
The kernel is in fact fixed. The occasional bug doesn't obviate the maturity of the system. If it did, you wouldn't use Linux at all
by quotemstr
3/30/2025 at 4:19:36 PM
>The occasional bug doesn't obviate the maturity of the system.Here you are hoping that the reader will equate "mature" with fewer bugs, but in reality the only sense that Linux is obviously and incontestably mature is in the sense of having existed for many years.
Have you considered the possibility that Linux is adding security holes at a rate higher than they are being removed? I see a lot of evidence that that is so (and has always been so). There is certainly a lot of new code being added to the project all the time.
by hollerith
3/30/2025 at 3:29:03 PM
> This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousnessIt's not "superstitiousness" when the new features did in fact have vulnerabilities.
by yjftsjthsd-h
3/30/2025 at 3:57:06 PM
The superstition lasts a lot longer than the vulnerabilities do.by quotemstr
3/30/2025 at 4:14:29 PM
Yes, obviously; a feature with a history of vulnerabilities is likely to have more that have not yet been found and patched. It's a guess, but in the but in the face of unknown unknowns it's rational.by yjftsjthsd-h
3/30/2025 at 4:17:48 PM
You know, I'm still unsure about this "thread" concept some programs use. It's kind of insane for ONE program to do TWO THINGS at the SAME TIME. I think it can lead to security problems. Please add a sysctl knob letting me turn off this dangerous technology until we fix all the problems with it.by quotemstr
3/30/2025 at 4:41:09 PM
First: That's a strawman. Nobody's saying we can't ever use new features, just that it's reasonable to be cautious with new code that demonstrably has a history of problems. When io_uring has a few decades under its belt I expect its use to be uncontroversial.Second: That's... not a terrible idea. Concurrency bugs do crop up from time to time. I wouldn't use it for everything (again, we're in the very long tail of concurrency bugs), but having a way to force the system into a mode that couldn't hit them would be nice for high-stakes situations (the same way that Apple's Lockdown Mode disables JIT in the browser). Unfortunately it would probably be more involved than a sysctl.
by yjftsjthsd-h
3/30/2025 at 1:10:19 PM
Attack surface is a thing, still.by rini17
3/30/2025 at 8:49:16 AM
Well behaved programs rarely need user namespaces, you can still, in userspace, drop capabilities and otherwise sandbox yourself without user namespaces.Poorly behaved programs on the other hand... Ones that expect to use root for something, or expect to write into arbitrary folders, or etc, usually a lot more useful for constraining that.
by its-summertime
3/30/2025 at 9:40:15 AM
It's "only" the failure of one layer of security.But also:
It's the failure of one layer of security.
As much as I agree it's not a big breach, it's not great. Especially if people are aware these profile security features exist, rely on them (maybe more than intended) and then you add a break like this.
by eqvinox
3/29/2025 at 10:45:32 PM
With the Linux kernel references is this only a Ubuntu issue, or could Debian also be affected?by j45
3/29/2025 at 11:20:01 PM
I see no mention of "userns" in debian's apparmor.d, which means Debian is unaffected because it does not implement such protection at all.An analogy: Ubuntu has installed a lock on a window which turned out to be easily broken. Debian was unaffected because it just kept that window unlocked - no lock, no vulnerability.
by theamk
3/29/2025 at 11:56:24 PM
Fedora and RHEL 8+ also don't restrict unprivileged user namespaces. They are required for flatpak and rootless podman, both widely used and promoted technologies in the Red Hat ecosystem.by curt15
3/30/2025 at 12:16:19 AM
Flatpack does not require user namespaces. bubblewrap, the tool Flatpack uses to secure things, can be installed set-uid and can then setup the sandbox without the user namespaces.Chromium-based browsers also include own setuid tool to setup the sandbox if the user-namespaces are not available.
Even podman could have used something like that. But I guess RedHat assumes that the user namespaces are solid these days are do not bother…
by fpoling
3/30/2025 at 3:24:17 AM
> Fedora and RHEL 8+ also don't restrict unprivileged user namespaces.Are you sure ? Its disabled by default boot on my systems.
by worthless-trash
3/30/2025 at 4:58:55 PM
Appreciate it, I understand the same.by j45
3/30/2025 at 4:52:38 AM
Debian is still way worse. Do not use it. Instead, stick to fedora or archby udev4096
3/30/2025 at 9:32:01 AM
If you post something like this, you need to have arguments and links in it.No matter how well founded your opinion might be, noone knows what solid basis you have (or don't) and as such your comment is just badmouthing.
by eqvinox
3/29/2025 at 9:03:38 PM
So, entirely, AppArmor profiles for shipped executables allow escape from privileged environments...Without that additional AppArmor 'blessing', wouldn't the standard Linux privileges / container groups prevent this?
by mjevans
3/29/2025 at 9:27:47 PM
No; note the last sentence in the article:"a bypass is not even needed on most Linux distributions, because they allow unprivileged users to obtain full capabilities inside namespaces by default (and therefore to exploit CAP_SYS_ADMIN kernel vulnerabilities for example), without any restriction at all."
From the kernel standpoint, without a rules engine (AppArmor, seccomp, SELinux), unprivileged user namespaces are an all-or-nothing thing (unprivileged_userns_clone), so distributions have to rely on complex and leaky rules engines to try to allow namespace segmentation without letting users touch the big, broken kernel too much.
by bri3d