Muehlenhoff has submitted this change and it was merged. Change subject: Disable unprivileged user namespaces on trusty systems ......................................................................
Disable unprivileged user namespaces on trusty systems By default trusty allows the creation of user namespaces by unprivileged users (Debian defaulted to disallowing these since the feature was introduced for security reasons) Unprivileged user namespaces are not something we need in general (and especially not in trusty where support for namespaces is incomplete) and was the source for several local privilege escalation vulnerabilities. Fortunately the 3.13.0-91 release introduced a backport of the Debian patch allowing to disable the creation of user namespaces via a sysctl. There's a few servers we haven't been able to migrate to that kernel for technical reasons, so make the creation of the sysctl dependant on the kernel release. This creates the sysctl setting to enable this during boot, the existing trusty fleet will be disabled via salt. The effectiveness of the backport on current trusty kernels was tested using the example code from user_namespaces(7). Bug: T142567 Change-Id: I5136d33d7f1ee112b095bf06b016cc61325348ba --- M modules/base/manifests/kernel.pp 1 file changed, 17 insertions(+), 0 deletions(-) Approvals: Gehel: Looks good to me, but someone else must approve Ottomata: Looks good to me, but someone else must approve Filippo Giunchedi: Looks good to me, but someone else must approve Muehlenhoff: Verified; Looks good to me, approved Faidon Liambotis: Looks good to me, but someone else must approve BBlack: Looks good to me, but someone else must approve diff --git a/modules/base/manifests/kernel.pp b/modules/base/manifests/kernel.pp index 5fe5793..4a8fec4 100644 --- a/modules/base/manifests/kernel.pp +++ b/modules/base/manifests/kernel.pp @@ -22,4 +22,21 @@ source => 'puppet:///modules/base/kernel/blacklist-linux44.conf', } } + + # By default trusty allows the creation of user namespaces by unprivileged users + # (Debian defaulted to disallowing these since the feature was introduced for security reasons) + # Unprivileged user namespaces are not something we need in general (and especially + # not in trusty where support for namespaces is incomplete) and was the source for + # several local privilege escalation vulnerabilities. Fortunately the 3.13.0-91 release + # introduced a backport of the Debian patch allowing to disable the creation of user + # namespaces via a sysctl. There's a few servers we haven't been able to migrate to + # that kernel for technical reasons, so make the creation of the sysctl dependant on + # the kernel release. + if os_version('ubuntu == trusty') and (versioncmp($::kernelrelease, '3.13.0-91') >= 0) { + sysctl::parameters { 'disable-unprivileged-user-namespaces': + values => { + 'kernel.unprivileged_userns_clone' => 0, + }, + } + } } -- To view, visit https://gerrit.wikimedia.org/r/304474 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5136d33d7f1ee112b095bf06b016cc61325348ba Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Gehel <gleder...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: Ottomata <o...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits