Hello all, Have you heard about the latest overlayfs security problem?
http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ The problem is already fixed in mainline. I am afraid that aufs might have a similar problem, paricularly when the module paramter 'allow_userns' is set to 1. Actually I've tried reproducing the problem on my test pc, but failed. I am afraid I don't understand the detail yet. If you can (anyone in this ML), please try reproducing the problem. Because this is a security problem and I want to really make it sure. I'd like to ask a help from users. If you have some time to try, please do it and report the result to this ML. 1. get the test-program UserNamespaceOverlayfsSetuidWriteExec.c from the above URL. 2. reproduce the problem by overlayfs (without modifying the TP) 3. modify the TP in order to use aufs (like the patch attached). 4. try reproducing the problem by aufs with two cases, + allow_userns=1 + allow_userns=0 5. report the result to this ML. Thank you J. R. Okajima ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
