[$] User namespaces + overlayfs = root privileges

The user namespaces feature is conceptuallyfairly straightforward-allow users to run as root in their own space, whilelimiting their privileges on the system outside that space-but theimplementation has, perhaps unsurprisingly, proven to be quite tricky. There are some assumptions about user IDs and howthey operate thatare deeply wired into the kernel in various subsystems; shaking those outhas taken some time, which led to some hesitation about enabling thefeature in distribution kernels. But that reluctance has largely passed atthis point, which makes the recent discoveryof a root-privilege escalation using user namespaces and the overlayfilesystem (overlayfs) that much more dangerous.

Subscribers can click below for the full story from this week's edition.