On Fri, May 29, 2015 at 1:48 AM, Alexander Larsson <[email protected]> wrote: > On tor, 2015-05-28 at 22:31 +0200, Alexander Larsson wrote: >> I just pushed some changes to make xdg-app use user namespaces, which >> means it does not require any elevated permissions like setuid or >> setcap. >> >> I need to do some more testing on it to make sure nothing broke, but it >> seems to work for me. >> >> However, there is an issue with some 4.0.x kernels, where it causes a >> panic. For fedora this is fixed in the 4.0.4-302 kernel (and it works >> with previous 3.19 kernels). If you want to test this, make sure you >> have a new enough or old enough kernel. > > I added back the old setuid implementation if you pass --disable-userns > to configure, since some old distros don't have user namespaces. > However, my recommendation is for everyone that can to use the user > namespace implementation, it is less risky as there are no increased > privileges needed.
FWIW, Arch has steadfastly refused to enable user namespaces even in new kernels: https://bugs.archlinux.org/task/36969 And on Debian-derived distros you need to flip a sysctl first. Not arguing against using user namespaces, but just FYI. BTW, are you using seccomp to make sure the sandboxed app cannot itself create nested user namespaces? Since they are the source of so many privilege escalation bugs it seems like a good idea. Here's where we do it in Sandstorm.io: https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/supervisor.c++#L1055-L1061 -Kenton _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
