The "user" namespace headache
by zeebra from LinuxQuestions.org on (#6GXH1)
So, I know there are sharper heads than mine in here, and I've hit somewhat of a conundrum in regards the "user" namespace. The more I look into this "user" namespace, the less of a good idea I think it is overall and in general. I could ofcourse be wrong, lack some information or overcomplicate things..
The issue with the user namespace pops up in regards to containers, and I'm starting to wonder if it is a bad idea. So, the "user" namespace allows a regular user to pretend to be root inside a container, and set up a kind of virtual root, inside a user. This root however is not as virtual as one might think, it is done with "capabilities" (sys_admin_cap to be specific), which basically allows the user to make what could be thought of as root system calls. To be able to pretend to be root in a container, the user needs these system calls (capabilities).
This also gives the user actual root capabilities through the user namespace in that environment. If the "root" of that environment(any user environment called with unshare user??) is then able to break out of that environment, you now have a user account with root privileges (capabilities/calls)! Normally the user account have none of these capabilities and can't make any of these calls. That's one of the main distinctions between a user account and a root account.
There have been plenty of security issues with this already, and it is written about extensively if you search online for "linux user namespace" or "user namespace security" or such search phrases.
In the end it seems like a very bad idea to me to give a user root capabilities like this, even just to delegate them to a user indirectly. Some security researchers (including grsecurity) already recommend to compile the Kernel without the user namespace alltogether, due to the possible security implications. This is even making me think that I should just not take such an interest in containers anymore and just stick with virtual machines.
So, I'd be interested in hearing what thoughts or knowledge others have about this topic. I know I could have asked it on a general forum, but I like the sharpness of the heads of the people here, and I only use Slackware currently anyways.
Ps. This all hit the forefront of my awareness when I today noticed that Firefox uses the user namespace for its sandboxing.
The issue with the user namespace pops up in regards to containers, and I'm starting to wonder if it is a bad idea. So, the "user" namespace allows a regular user to pretend to be root inside a container, and set up a kind of virtual root, inside a user. This root however is not as virtual as one might think, it is done with "capabilities" (sys_admin_cap to be specific), which basically allows the user to make what could be thought of as root system calls. To be able to pretend to be root in a container, the user needs these system calls (capabilities).
This also gives the user actual root capabilities through the user namespace in that environment. If the "root" of that environment(any user environment called with unshare user??) is then able to break out of that environment, you now have a user account with root privileges (capabilities/calls)! Normally the user account have none of these capabilities and can't make any of these calls. That's one of the main distinctions between a user account and a root account.
There have been plenty of security issues with this already, and it is written about extensively if you search online for "linux user namespace" or "user namespace security" or such search phrases.
In the end it seems like a very bad idea to me to give a user root capabilities like this, even just to delegate them to a user indirectly. Some security researchers (including grsecurity) already recommend to compile the Kernel without the user namespace alltogether, due to the possible security implications. This is even making me think that I should just not take such an interest in containers anymore and just stick with virtual machines.
So, I'd be interested in hearing what thoughts or knowledge others have about this topic. I know I could have asked it on a general forum, but I like the sharpness of the heads of the people here, and I only use Slackware currently anyways.
Ps. This all hit the forefront of my awareness when I today noticed that Firefox uses the user namespace for its sandboxing.