summaryrefslogtreecommitdiffstats
path: root/fs/namespace.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-12-14 16:55:36 +0100
committerEric W. Biederman <ebiederm@xmission.com>2012-12-15 01:12:03 +0100
commit5e4a08476b50fa39210fca82e03325cc46b9c235 (patch)
treefb3a3c6b4c3f613abf354adefcff8a74051acdce /fs/namespace.c
parentFix cap_capable to only allow owners in the parent user namespace to have caps. (diff)
downloadlinux-5e4a08476b50fa39210fca82e03325cc46b9c235.tar.xz
linux-5e4a08476b50fa39210fca82e03325cc46b9c235.zip
userns: Require CAP_SYS_ADMIN for most uses of setns.
Andy Lutomirski <luto@amacapital.net> found a nasty little bug in the permissions of setns. With unprivileged user namespaces it became possible to create new namespaces without privilege. However the setns calls were relaxed to only require CAP_SYS_ADMIN in the user nameapce of the targed namespace. Which made the following nasty sequence possible. pid = clone(CLONE_NEWUSER | CLONE_NEWNS); if (pid == 0) { /* child */ system("mount --bind /home/me/passwd /etc/passwd"); } else if (pid != 0) { /* parent */ char path[PATH_MAX]; snprintf(path, sizeof(path), "/proc/%u/ns/mnt"); fd = open(path, O_RDONLY); setns(fd, 0); system("su -"); } Prevent this possibility by requiring CAP_SYS_ADMIN in the current user namespace when joing all but the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'fs/namespace.c')
-rw-r--r--fs/namespace.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index c1bbe86f4920..398a50ff2438 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2781,7 +2781,8 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
struct path root;
if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
- !nsown_capable(CAP_SYS_CHROOT))
+ !nsown_capable(CAP_SYS_CHROOT) ||
+ !nsown_capable(CAP_SYS_ADMIN))
return -EPERM;
if (fs->users != 1)