On 2020-10-22 22:55:33, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Oct 20, 2020 at 05:21:24PM +0100, Simon McVittie wrote:
>> On Thu, 16 Apr 2020 at 03:09:25 +0100, Ben Hutchings wrote:
>> > I don't think we should keep patching in
>> > kernel.unprivileged_userns_clone forever, so the documented way to
>> > disable user namespaces should be setting user.max_user_namespaces to
>> > 0. But then there's no good way to have a drop-in file that changes
>> > back to the upstream default, because that's dependent on system memory
>> > size.
>> >
>> > So I think we should do something like this:
>> >
>> > * Document user.max_user_namespaces in procps's shipped
>> > /etc/sysctl.conf
>> > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate
>> > it (log a warning if it's changed)
>> > * Document the change in bullseye release notes
>>
>> Is this something you intend to do before bullseye, or is it now going
>> to be after bullseye?
>>
>> If this is intended to happen before bullseye, I'd like enough time
>> before the freeze to put an as-graceful-as-possible transition in place
>> in the bubblewrap package.
>>
>> (I'm not sure what form that transition should take - suggestions welcome!
>> Ideally I'd like bubblewrap to be setuid root if and only if we are still
>> using a kernel where it needs to be.)
>
> TBH, I think not having it enabled by default until now saved us a
> couple of time from needing to release urgent fixes. It is more a gut
> feeling and might not have enough weight: but having it still disabled
> in bullseye by default we would be still better of from security
> releases/DSA's perspectives.
Could we get a little more hard data about the attack vectors here? I
totally trust the security team's "gut feeling" on this, but it would be
great to be able to evaluate more concretely what we're talking about
here.
Local root privilege escalation, basically? Can we get a sense of what
those vulerabilities are, say with some example CVEs?
I'm asking because my main concern with security these days is with the
web browser. It's this huge gaping hole: every measure we can take to
sandbox that thing is become more and more critical, so I wonder if the
our tradeoff's evaluation is well adjusted here, especially considering
a lot of user_ns consumers are bypassing those restrictions by running
as root anyways...
It seems that, in those cases, we're getting the worst of both worlds...
a.
--
It is a miracle that curiosity survives formal education
- Albert Einstein
