*** This bug is a security vulnerability *** Public security bug reported:
Unprivileged user namespaces gives an unprivileged user access to a large set of kernel functionality and interfaces that has historically not been carefully vetted for security issues, as it required a user with trusted privileges to access. This has lead to a number of security issues around mounting filesystems and other areas of the kernel. We should give administrators the option to disable unprivileged user namespaces via a sysctl if they have no need for it, to allow them to reduce their threat surface. The patch at http://www.openwall.com/lists /kernel-hardening/2016/01/28/8 does so. (debian is currently carrying a similar patch https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian /add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by- default.patch?h=sid ). ** Affects: linux (Ubuntu) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555321 Title: kernel should support disabling CLONE_NEWUSER via sysctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
