On Mon, 2020-03-30 at 10:56 +0100, Simon McVittie wrote:
> On Fri, 11 May 2018 at 20:44:50 +0200, Laurent Bigonville wrote:
> > Firefox (and probably other applications) are using user namespaces these
> > days to enhance the security.
> >
> > Debian is disabling these since 2013, the original patch states it's a
> > short term solution, but we are here 5 years later and they are still
> > disabled.
> >
> > Apparently debian (and ubuntu) and arch are the only distributions
> > disabling the user namespaces.
>
> A cross-distro status update:
>
> - Debian still disables user namespaces by default with our
> /proc/sys/kernel/unprivileged_userns_clone patch.
>
> - Ubuntu now enables user namespaces by default. I think they still apply
> the /proc/sys/kernel/unprivileged_userns_clone patch, but with the
> default flipped?
>
> - Arch Linux now enables user namespaces in their default kernel. There
> is a non-default kernel, "linux-hardened", which applies the same patch
> as Debian.
>
> - Apparently RHEL 7 also disables user namespaces, although instead of
> patching in a new sysctl, they set /proc/sys/user/max_user_namespaces
> to 0 (which is an upstream thing since Linux 4.9).
And CentOS 8 appears to enable user namespaces by default. So at this
point I think we probably need to follow suit, if only because users
and developers will expect it to be enabled.
> On Sun, 13 May 2018 at 22:57:56 +0200, Moritz Mühlenhoff wrote:
> > Ben Hutchings wrote:
> > > And this still mitigates a significant fraction of the security issues
> > > found in the kernel.
> >
> > A quite significant fraction; on average this neutralises a root privilege
> > escalation every month or so. This is really not something that we should
> > re-enable any time soon.
>
> Is this still the case, or has the status of user namespaces settled down?
I certinaly have the impression that things have settled down. I'd
need to spend some time reviewing recent security issues, to be sure of
that.
> bubblewrap works around the restriction by being setuid root (and
> imposing restrictions in user-space that are intended to be more
> restrictive than those imposed by upstream kernels), but this makes
> bubblewrap bugs into potential root privilege escalations, so I would love
> to see bubblewrap no longer need to be setuid (like in Ubuntu).
[...]
> In
> Firefox, if I understand correctly, the fallback path is to not sandbox
> in this way at all; in Chrome/Chromium, there is a setuid fallback
> (which is enabled by the Debian chromium package), but it does not
> receive new upstream development, and it seems to be ambiguous whether
> its use is discouraged.
[...]
I think you've made a good case that user namespaces are likely to be a
net positive for security on Debian desktop systems.
This might not be true yet for servers that aren't container hosts.
Ben.
--
Ben Hutchings
It is a miracle that curiosity survives formal education.
- Albert Einstein
Attachment:
signature.asc
Description: This is a digitally signed message part