aboutsummaryrefslogtreecommitdiffstats
path: root/ipc
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-12-14 10:55:36 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-12-14 19:12:03 -0500
commit5e4a08476b50fa39210fca82e03325cc46b9c235 (patch)
treefb3a3c6b4c3f613abf354adefcff8a74051acdce /ipc
parent520d9eabce18edfef76a60b7b839d54facafe1f9 (diff)
userns: Require CAP_SYS_ADMIN for most uses of setns.
Andy Lutomirski <luto@amacapital.net> found a nasty little bug in the permissions of setns. With unprivileged user namespaces it became possible to create new namespaces without privilege. However the setns calls were relaxed to only require CAP_SYS_ADMIN in the user nameapce of the targed namespace. Which made the following nasty sequence possible. pid = clone(CLONE_NEWUSER | CLONE_NEWNS); if (pid == 0) { /* child */ system("mount --bind /home/me/passwd /etc/passwd"); } else if (pid != 0) { /* parent */ char path[PATH_MAX]; snprintf(path, sizeof(path), "/proc/%u/ns/mnt"); fd = open(path, O_RDONLY); setns(fd, 0); system("su -"); } Prevent this possibility by requiring CAP_SYS_ADMIN in the current user namespace when joing all but the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'ipc')
-rw-r--r--ipc/namespace.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ipc/namespace.c b/ipc/namespace.c
index cf3386a51de2..7c1fa451b0b0 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -170,7 +170,8 @@ static void ipcns_put(void *ns)
170static int ipcns_install(struct nsproxy *nsproxy, void *new) 170static int ipcns_install(struct nsproxy *nsproxy, void *new)
171{ 171{
172 struct ipc_namespace *ns = new; 172 struct ipc_namespace *ns = new;
173 if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) 173 if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) ||
174 !nsown_capable(CAP_SYS_ADMIN))
174 return -EPERM; 175 return -EPERM;
175 176
176 /* Ditch state from the old ipc namespace */ 177 /* Ditch state from the old ipc namespace */