I stumbled upon this answer from three years ago 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446)
"User namespaces *are* enabled - but by default, they can only be created by 
root".
I need clarifications on that, cause I didn't quite know how namespace 
management works.
I experimented a bit, from what I got it creates a namespace originating from 
the user asking it, and using it as normal user was disabled by default because 
it clearly adds lots of attack surface by exposing code that would normally be 
used by just root. Also in this little space there is a mapping between 
namespace users and originating user

What I didn't quite got is, does this patch allow creating namespaces belonging 
to an user from root, thus avoiding the possibility of privilege escalation, or 
having user namespaces running from unprivileged users is a threat by itself? 

I ask this because I'm particularly concerned about unprivileged containers 
support. While it is certainly good not having access to critical pieces of the 
linux kernel to regular UIDs it may be counterproductive in cases of a single 
user deputated just for running unprivileged containers, if there is no other 
way of creating such unprivileged namespaces

If there are some infos I'm missing please explain them or link resources, I 
searched what I could but apparently it wasn't enough

Reply via email to