oss-sec mailing list archives
Re: Re: Linux user namespaces can bypass group-based restrictions
From: Vitor Ventura <ventura.vitor () gmail com>
Date: Thu, 20 Nov 2014 08:49:23 +0000
I was wondering if this might pose a problem to android's application file sandboxing. If an application can run a native lib that could exploits this it might have access to other aplication files. A 0h24 qui, 20 de Nov de 2014, Andy Lutomirski <luto () amacapital net> escreveu:
On 11/17/2014 10:43 AM, Andy Lutomirski wrote:This is a heads-up, as there is no fix right now. On Linux, if you can unshare your user namespace (which is the case on many distributions), then you can map your fsuid and fsgid into the new namespace and, inside that namespace, drop all of your other groups. This may allow you to access files protected by POSIX ACLs as "other", even if the ACL should have prohibited it based on one of your supplementary group IDs. This does not appear to allow you to violate negative sudoers group entries and the like, since sudo(8) would be confined to the user namespace as well and will therefore not gain privilege. To those who care about credit: this was discovered by some combination of me, Theodore Ts'o, Eric Biederman, Alan Cox, and Casey Schaufler. See here for some more discussion: http://thread.gmane.org/gmane.linux.man/7385/ Disabling CONFIG_USER_NS works around this issue.Does this need a CVE? Fedora and Ubuntu are likely to be affected in their default configurations. I don't know about the other distributions. --Andy--Andy
Current thread:
- Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 17)
- Re: Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 19)
- Re: Re: Linux user namespaces can bypass group-based restrictions Vitor Ventura (Nov 20)
- Re: Re: Linux user namespaces can bypass group-based restrictions Simon McVittie (Nov 20)
- Re: Re: Linux user namespaces can bypass group-based restrictions Vitor Ventura (Nov 20)
- Re: Linux user namespaces can bypass group-based restrictions - Linux kernel cve-assign (Nov 19)
- Re: Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 19)