Muehlenhoff has submitted this change and it was merged.
Change subject: Disable unprivileged user namespaces on trusty systems
......................................................................
Disable unprivileged user namespaces on trusty systems
By default trusty allows the creation of user namespaces by unprivileged users
(Debian defaulted to disallowing these since the feature was introduced for
security reasons)
Unprivileged user namespaces are not something we need in general (and
especially
not in trusty where support for namespaces is incomplete) and was the source for
several local privilege escalation vulnerabilities. Fortunately the 3.13.0-91
release
introduced a backport of the Debian patch allowing to disable the creation of
user
namespaces via a sysctl. There's a few servers we haven't been able to migrate
to
that kernel for technical reasons, so make the creation of the sysctl dependant
on
the kernel release.
This creates the sysctl setting to enable this during boot, the existing
trusty fleet will be disabled via salt.
The effectiveness of the backport on current trusty kernels was tested using
the example code from user_namespaces(7).
Bug: T142567
Change-Id: I5136d33d7f1ee112b095bf06b016cc61325348ba
---
M modules/base/manifests/kernel.pp
1 file changed, 17 insertions(+), 0 deletions(-)
Approvals:
Gehel: Looks good to me, but someone else must approve
Ottomata: Looks good to me, but someone else must approve
Filippo Giunchedi: Looks good to me, but someone else must approve
Muehlenhoff: Verified; Looks good to me, approved
Faidon Liambotis: Looks good to me, but someone else must approve
BBlack: Looks good to me, but someone else must approve
diff --git a/modules/base/manifests/kernel.pp b/modules/base/manifests/kernel.pp
index 5fe5793..4a8fec4 100644
--- a/modules/base/manifests/kernel.pp
+++ b/modules/base/manifests/kernel.pp
@@ -22,4 +22,21 @@
source => 'puppet:///modules/base/kernel/blacklist-linux44.conf',
}
}
+
+ # By default trusty allows the creation of user namespaces by unprivileged
users
+ # (Debian defaulted to disallowing these since the feature was introduced
for security reasons)
+ # Unprivileged user namespaces are not something we need in general (and
especially
+ # not in trusty where support for namespaces is incomplete) and was the
source for
+ # several local privilege escalation vulnerabilities. Fortunately the
3.13.0-91 release
+ # introduced a backport of the Debian patch allowing to disable the
creation of user
+ # namespaces via a sysctl. There's a few servers we haven't been able to
migrate to
+ # that kernel for technical reasons, so make the creation of the sysctl
dependant on
+ # the kernel release.
+ if os_version('ubuntu == trusty') and (versioncmp($::kernelrelease,
'3.13.0-91') >= 0) {
+ sysctl::parameters { 'disable-unprivileged-user-namespaces':
+ values => {
+ 'kernel.unprivileged_userns_clone' => 0,
+ },
+ }
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/304474
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5136d33d7f1ee112b095bf06b016cc61325348ba
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Gehel <gleder...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Ottomata <o...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
