Important caveat: this is not itself a vulnerability; you still need a kernel `CAP_SYS_ADMIN` vulnerability if you want to actually do something evil.
(I also expect that if you're already in a restricted AA profile it's not easy to switch to a less-restrictive one, but I think a lot of security tools are bad at thinking about multi-process interpreters)
Unprivileged user namespaces are not a security vulnerability. Ubuntu's short-sighted and reactionary decision to ban them makes systems less, not more, secure overall, since with this capability gone, it makes it that much harder for a well-behaved unprivileged program to set up a userspace sandbox. If the kernel has vulnerabilities, fix them. Don't just randomly break useful features.
Broken security boundaries are actively harmful. If you offer something that looks like a security boundary, then people will design their systems on the assumption that it does what it looks like it does. Doubly so if it is actually documented as a security feature. They will then _not_ look into alternative mechanisms to achieve their security goals, even when those alternatives exist and are less susceptible to holes.
Yes, the kernel should be fixed. But until the kernel is fixed, distributions should not be enabling broken features by default.
This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousness is making it hard for application authors to use new features and advance the state of the art. The kernel should not have random knobs for disabling new technology.
> But until the kernel is fixed
The kernel is in fact fixed. The occasional bug doesn't obviate the maturity of the system. If it did, you wouldn't use Linux at all
>The occasional bug doesn't obviate the maturity of the system.
Here you are hoping that the reader will equate "mature" with fewer bugs, but in reality the only sense that Linux is obviously and incontestably mature is in the sense of having existed for many years.
Have you considered the possibility that Linux is adding security holes at a rate higher than they are being removed? I see a lot of evidence that that is so (and has always been so). There is certainly a lot of new code being added to the project all the time.
> This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousness
It's not "superstitiousness" when the new features did in fact have vulnerabilities.
Yes, obviously; a feature with a history of vulnerabilities is likely to have more that have not yet been found and patched. It's a guess, but in the but in the face of unknown unknowns it's rational.
You know, I'm still unsure about this "thread" concept some programs use. It's kind of insane for ONE program to do TWO THINGS at the SAME TIME. I think it can lead to security problems. Please add a sysctl knob letting me turn off this dangerous technology until we fix all the problems with it.
First: That's a strawman. Nobody's saying we can't ever use new features, just that it's reasonable to be cautious with new code that demonstrably has a history of problems. When io_uring has a few decades under its belt I expect its use to be uncontroversial.
Second: That's... not a terrible idea. Concurrency bugs do crop up from time to time. I wouldn't use it for everything (again, we're in the very long tail of concurrency bugs), but having a way to force the system into a mode that couldn't hit them would be nice for high-stakes situations (the same way that Apple's Lockdown Mode disables JIT in the browser). Unfortunately it would probably be more involved than a sysctl.
Well behaved programs rarely need user namespaces, you can still, in userspace, drop capabilities and otherwise sandbox yourself without user namespaces.
Poorly behaved programs on the other hand... Ones that expect to use root for something, or expect to write into arbitrary folders, or etc, usually a lot more useful for constraining that.
As much as I agree it's not a big breach, it's not great. Especially if people are aware these profile security features exist, rely on them (maybe more than intended) and then you add a break like this.
I see no mention of "userns" in debian's apparmor.d, which means Debian is unaffected because it does not implement such protection at all.
An analogy: Ubuntu has installed a lock on a window which turned out to be easily broken. Debian was unaffected because it just kept that window unlocked - no lock, no vulnerability.
Fedora and RHEL 8+ also don't restrict unprivileged user namespaces. They are required for flatpak and rootless podman, both widely used and promoted technologies in the Red Hat ecosystem.
Flatpack does not require user namespaces. bubblewrap, the tool Flatpack uses to secure things, can be installed set-uid and can then setup the sandbox without the user namespaces.
Chromium-based browsers also include own setuid tool to setup the sandbox if the user-namespaces are not available.
Even podman could have used something like that. But I guess RedHat assumes that the user namespaces are solid these days are do not bother…
"a bypass is not even needed on most Linux distributions,
because they allow unprivileged users to obtain full capabilities inside
namespaces by default (and therefore to exploit CAP_SYS_ADMIN kernel
vulnerabilities for example), without any restriction at all."
From the kernel standpoint, without a rules engine (AppArmor, seccomp, SELinux), unprivileged user namespaces are an all-or-nothing thing (unprivileged_userns_clone), so distributions have to rely on complex and leaky rules engines to try to allow namespace segmentation without letting users touch the big, broken kernel too much.
Important caveat: this is not itself a vulnerability; you still need a kernel `CAP_SYS_ADMIN` vulnerability if you want to actually do something evil.
(I also expect that if you're already in a restricted AA profile it's not easy to switch to a less-restrictive one, but I think a lot of security tools are bad at thinking about multi-process interpreters)
Unprivileged user namespaces are not a security vulnerability. Ubuntu's short-sighted and reactionary decision to ban them makes systems less, not more, secure overall, since with this capability gone, it makes it that much harder for a well-behaved unprivileged program to set up a userspace sandbox. If the kernel has vulnerabilities, fix them. Don't just randomly break useful features.
Broken security boundaries are actively harmful. If you offer something that looks like a security boundary, then people will design their systems on the assumption that it does what it looks like it does. Doubly so if it is actually documented as a security feature. They will then _not_ look into alternative mechanisms to achieve their security goals, even when those alternatives exist and are less susceptible to holes.
Yes, the kernel should be fixed. But until the kernel is fixed, distributions should not be enabling broken features by default.
This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousness is making it hard for application authors to use new features and advance the state of the art. The kernel should not have random knobs for disabling new technology.
> But until the kernel is fixed
The kernel is in fact fixed. The occasional bug doesn't obviate the maturity of the system. If it did, you wouldn't use Linux at all
>The occasional bug doesn't obviate the maturity of the system.
Here you are hoping that the reader will equate "mature" with fewer bugs, but in reality the only sense that Linux is obviously and incontestably mature is in the sense of having existed for many years.
Have you considered the possibility that Linux is adding security holes at a rate higher than they are being removed? I see a lot of evidence that that is so (and has always been so). There is certainly a lot of new code being added to the project all the time.
> This attitude is why operating systems have ossified. Every new feature is suspect. io_uring? TURN IT OFF. User namespaces? TURN IT OFF. eBPF? TURN IT OFF. This superstitiousness
It's not "superstitiousness" when the new features did in fact have vulnerabilities.
The superstition lasts a lot longer than the vulnerabilities do.
Yes, obviously; a feature with a history of vulnerabilities is likely to have more that have not yet been found and patched. It's a guess, but in the but in the face of unknown unknowns it's rational.
You know, I'm still unsure about this "thread" concept some programs use. It's kind of insane for ONE program to do TWO THINGS at the SAME TIME. I think it can lead to security problems. Please add a sysctl knob letting me turn off this dangerous technology until we fix all the problems with it.
First: That's a strawman. Nobody's saying we can't ever use new features, just that it's reasonable to be cautious with new code that demonstrably has a history of problems. When io_uring has a few decades under its belt I expect its use to be uncontroversial.
Second: That's... not a terrible idea. Concurrency bugs do crop up from time to time. I wouldn't use it for everything (again, we're in the very long tail of concurrency bugs), but having a way to force the system into a mode that couldn't hit them would be nice for high-stakes situations (the same way that Apple's Lockdown Mode disables JIT in the browser). Unfortunately it would probably be more involved than a sysctl.
Attack surface is a thing, still.
Well behaved programs rarely need user namespaces, you can still, in userspace, drop capabilities and otherwise sandbox yourself without user namespaces.
Poorly behaved programs on the other hand... Ones that expect to use root for something, or expect to write into arbitrary folders, or etc, usually a lot more useful for constraining that.
It's "only" the failure of one layer of security.
But also:
It's the failure of one layer of security.
As much as I agree it's not a big breach, it's not great. Especially if people are aware these profile security features exist, rely on them (maybe more than intended) and then you add a break like this.
With the Linux kernel references is this only a Ubuntu issue, or could Debian also be affected?
I see no mention of "userns" in debian's apparmor.d, which means Debian is unaffected because it does not implement such protection at all.
An analogy: Ubuntu has installed a lock on a window which turned out to be easily broken. Debian was unaffected because it just kept that window unlocked - no lock, no vulnerability.
Fedora and RHEL 8+ also don't restrict unprivileged user namespaces. They are required for flatpak and rootless podman, both widely used and promoted technologies in the Red Hat ecosystem.
Flatpack does not require user namespaces. bubblewrap, the tool Flatpack uses to secure things, can be installed set-uid and can then setup the sandbox without the user namespaces.
Chromium-based browsers also include own setuid tool to setup the sandbox if the user-namespaces are not available.
Even podman could have used something like that. But I guess RedHat assumes that the user namespaces are solid these days are do not bother…
> Fedora and RHEL 8+ also don't restrict unprivileged user namespaces.
Are you sure ? Its disabled by default boot on my systems.
Appreciate it, I understand the same.
Debian is still way worse. Do not use it. Instead, stick to fedora or arch
If you post something like this, you need to have arguments and links in it.
No matter how well founded your opinion might be, noone knows what solid basis you have (or don't) and as such your comment is just badmouthing.
So, entirely, AppArmor profiles for shipped executables allow escape from privileged environments...
Without that additional AppArmor 'blessing', wouldn't the standard Linux privileges / container groups prevent this?
No; note the last sentence in the article:
"a bypass is not even needed on most Linux distributions, because they allow unprivileged users to obtain full capabilities inside namespaces by default (and therefore to exploit CAP_SYS_ADMIN kernel vulnerabilities for example), without any restriction at all."
From the kernel standpoint, without a rules engine (AppArmor, seccomp, SELinux), unprivileged user namespaces are an all-or-nothing thing (unprivileged_userns_clone), so distributions have to rely on complex and leaky rules engines to try to allow namespace segmentation without letting users touch the big, broken kernel too much.