[lxc-users] Risk/benefit of enabling user namespaces in the kernel for running unprivileged containers

[John]

----- Original Message -----
> From: Serge E. Hallyn <serge at hallyn.com>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Sent: Friday, January 13, 2017 11:20 AM
> Subject: Re: [lxc-users] Risk/benefit of enabling user namespaces in the kernel for running unprivileged containers

>>  I'm unclear about several points:
>>  *Is it true that enabling CONFIG_USER_NS makes LXCs safer but at the cost 
> of decreasing security on the host?
> 
> "basically"
> 
> "decreasing security on the host" implies there are known 
> vulnerabilities or
> shortcomings which you are enabling as a tradeoff.  That's not the case.  
> Rather,
> there are so many interactions between types of resources that we keep running
> into new ways in which unanticipated interactions can lead to vulnerabilities
> when unprivileged users gain the ability to create new namespaces.
> 
> Some of the 'vulnerabilities' are pretty arguable, for instance the 
> ability
> for an unprivileged user to escape a negative acl by dropping a group, or to
> see an overmounted file in a new namespace.  But others are very serious.
> 
> When that will settle down, noone really knows.


Again, thank you for the detailed reply.  Are the nature of these sorts of interactions such that users require physical access or ssh access to the host machine in order to exploit, or can they originate from within the container?  If it's a physical/remote access thing, no big deal assuming we do not open the host up to ssh, right?  If however the vector is the container itself, that's entirely different.