On Wed, Mar 9, 2016 at 11:21 AM, Serge E. Hallyn wrote:
> Quoting Colin Walters (walt...@verbum.org):
>> On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
>> > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski
>> > wrote:
>> > > Hi all-
>> > >
>> > > There are several users and distros that are n
Quoting Colin Walters (walt...@verbum.org):
> On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
> > On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
> > > Hi all-
> > >
> > > There are several users and distros that are nervous about user
> > > namespaces from an attack surface point of vie
On Wed, Mar 9, 2016 at 11:07 AM, Serge E. Hallyn wrote:
> Quoting Kees Cook (keesc...@chromium.org):
>> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
>> > Hi all-
>> >
>> > There are several users and distros that are nervous about user
>> > namespaces from an attack surface point of vie
Quoting Kees Cook (keesc...@chromium.org):
> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
> > Hi all-
> >
> > There are several users and distros that are nervous about user
> > namespaces from an attack surface point of view.
> >
> > - RHEL and Arch have userns disabled.
> >
> > - Ubu
On 2016-03-09 13:51, Colin Walters wrote:
On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
Hi all-
There are several users and distros that are nervous about user
namespaces from an attack surface point of view.
- RHEL and Arch have
On Wed, Mar 9, 2016, at 01:14 PM, Kees Cook wrote:
> On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
> > Hi all-
> >
> > There are several users and distros that are nervous about user
> > namespaces from an attack surface point of view.
> >
> > - RHEL and Arch have userns disabled.
> >
>
On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski wrote:
> Hi all-
>
> There are several users and distros that are nervous about user
> namespaces from an attack surface point of view.
>
> - RHEL and Arch have userns disabled.
>
> - Ubuntu requires CAP_SYS_ADMIN
>
> - Kees periodically proposes
Quoting Andy Lutomirski (l...@amacapital.net):
> On Mar 7, 2016 10:06 PM, "Serge E. Hallyn" wrote:
> >
> > On Mon, Mar 07, 2016 at 09:15:25PM -0800, Andy Lutomirski wrote:
> > > - Ubuntu requires CAP_SYS_ADMIN
> >
> > No, it does not. It has temporarily re-added a sysctl which can enable
> > tha
On Mar 7, 2016 10:06 PM, "Serge E. Hallyn" wrote:
>
> On Mon, Mar 07, 2016 at 09:15:25PM -0800, Andy Lutomirski wrote:
> > - Ubuntu requires CAP_SYS_ADMIN
>
> No, it does not. It has temporarily re-added a sysctl which can enable
> that behavior, but it's not set by default. The reason for prov
Andy Lutomirski writes:
> Hi all-
[Snip strange things distros do]
Distros do strange things from other peoples perspectives. Sometimes we
can help with that sometimes we can't. In general producing kernel code
that is reliable and well maintained is what we can do. Distro folks
can decide w
On mån, 2016-03-07 at 21:15 -0800, Andy Lutomirski wrote:
> Hi all-
>
> I think there are three main types of concerns. First, there might
> be
> some as-yet-unknown semantic issues that would allow privilege
> escalation by users who create user namespaces and then confuse
> something else in th
On Mon, Mar 07, 2016 at 09:15:25PM -0800, Andy Lutomirski wrote:
> Hi all-
>
> There are several users and distros that are nervous about user
> namespaces from an attack surface point of view.
>
> - RHEL and Arch have userns disabled.
>
> - Ubuntu requires CAP_SYS_ADMIN
No, it does not. It
Hi all-
There are several users and distros that are nervous about user
namespaces from an attack surface point of view.
- RHEL and Arch have userns disabled.
- Ubuntu requires CAP_SYS_ADMIN
- Kees periodically proposes to upstream some sysctl to control
userns creation.
I think there are t
13 matches
Mail list logo
