Deshalb: Von jedem verkauften Aktionspreis-Produkt fließt ab sofort ein Cent in das Förderprojekt "Gemeinsam Boden gut machen" des NABU. Es unterstützt . Explore SAP product documentation and Learning Journeys for all businesses/industries, find answers to your questions, and more! Отношение можно изменить извлечением опыта, построением верной причинно следственной связи. Малыш только научился ходить- упал, ударился о tamavka.инструмент-нн.рф вернее? Наказать атта табурет? или сформировать понимание. Делать драники на мелкой тёрке - медленно, тяжело, травмоопасно. А почему бы картошку не пропустить через мясорубку? @lisaev I never said that it wasn't a neat idea, I think it is awesome. The problem is that it hardly has any testing and does expose a much larger section of the kernel to .
- Драники с помощью мясорубки.
- Как подключить дополнительный пакет на мтс
- Die Alnatura Bruderküken-Initiative
- Как скачать на андроид dolby эквалайзер
- Войти на сайт
- FS#36969 - [linux] 3.13 add CONFIG_USER_NS
Powered by Flyspray. Arch Linux. Register Lost password? Show Task. Tasklist FS - [linux] 3. Details Description: Add user namespaces to kernel configuration: Support user namespaces. This allows containers, i. This is recommended to turned on when using lxc.
Драники с помощью мясорубки.
This task depends upon. Must wait for 3. Please note that there seem to be some security implications of enabling user namespaces I agree with Florian, allowing non-root users to take advantage of elevating themselves to a local root seems like a huge attack surface.
Preferably this would be a sysctl with a huge warning attached to it when it is switched on. Webhostbudd: Allowing non-admin users to create namespaces is one of goals of the whole "user namespace" work. For instance, Ubuntu plans to be able to deploy unprivileged containers in However, the above commit has already produced at least 2 serious vulnerabilities, so I guess people at Fedora security decided to play it safe and I agree with them.
I suggest to delay enabling user namespaces by default until at least 3. Is it possible to rename this bug report to say "3.
This is a very useful feature even without allowing unprivileged users to use it, so I think Arch should be enabling it and reverting the patch removing the need to be a superuser like Fedora. The problem is that it hardly has any testing and does expose a much larger section of the kernel to user torture than was previously available before. This is a very major change to many kernel subsystems and has already enabled new attacks. Revisit this issue?
Как подключить дополнительный пакет на мтс
CentOS 7, Debian 7. Note that Sandstorm.
Die Alnatura Bruderküken-Initiative
Debian and Ubuntu have the kernel. Arch could do the same if you want to be cautious. If you want to see this feature enabled, then land something like this upstream. Meanwhile Chrome currently relies on a setuid binary to set up its sandbox, because unshare require privilege -- unless, of course, unprivileged user namespaces are allowed.
So presumably Chrome will start using userns at some point so that it can get rid of the setuid binary which is itself a security liability. So in the long run, enabling unprivileged user namespaces is actually a security win for Chrome. Sorry, to be clear, I only commented here to provide what I thought might be useful information for this bug. Sandstorm like Chrome would rather not rely on a setuid binary for sandboxing.
It allows calling clone without parameter checks in some of the sandboxed processes. A small setuid binary is way saner than a completely broken kernel feature with a vulnerability discovered every other week.
Please do a quick search for user namespaces in the kernel log. Thanks to the lag in getting new kernel versions into [core] there would usually be a usable user namespace exploit available.
It allows calling clone without parameter checks Ouch, really? That seems like a bug in Chrome. Has someone reported it? Anyone relying on the lack of LPE in Linux, without using seccomp, is not in a great place, sadly. Just saying. I guess this issue should be closed again? The current rules are created by fallible humans who are going to miss many opportunities to lock down specific system calls.
Originally, Chromium was just using seccomp for the renderer process but it is going to be extended to the other processes outside of that most restricted sandbox over time. New features known to add significant attack surfaces should be opt-in at runtime. The people working on it are still convinced that they can make it quite robust in the near future, despite all of the evidence to the contrary.
Anyway, this is the frustrating side to using software as shipped by upstream.
Is it debian flag? Why not?
The statement loses meaning when you quote it out of context There are no doubt going to be a a hundred more disclosed over the next few years. Why not wait until the feature is mature before enabling it? I was pointing out the most recent raft of fixes I know about. Which occurred 4 months ago. The most recent set of fixes landed yesterday April 18th and includes a fix for a vulnerability made public in October There were issues discovered in between the fixes from Eric Biederman anyway. The Apport and Abrt vulnerabilities disclosed on April 14th were only exploitable by unprivileged users due to unprivileged user namespaces.
Why is so difficult to add the patch which makes it a sysctl flag? Another one today Linux 4.
Как скачать на андроид dolby эквалайзер
It would of course be possible to ship a sysctl config to set it but that sounds suboptimal to me as it would also affect other installed kernels. It makes sense to enable it at compile-time with it disabled by default via the sysctl. That means it can still be enabled by default for linux-hardened, just not for unprivileged users, and unprivileged use only requires toggling the sysctl. The sysctl conf disabling it should not be added to systemd, etc.
It exposes a bunch of additional kernel attack surface to unprivileged users by letting them enter a user namespace and gain all of the capabilities within that user namespace. They can control network administration within that namespace including iptables, mounts and a lot more. Many additional vulnerabilities are still ending up exposed due to unprivileged user namespaces. Nothing has changed since Linux 4. There was a proposal to support an unprivileged user namespace capability mask to allow unprivileged user namespaces without granting capabilities within it, but just like the toggle for unprivileged user namespaces that seems to be going nowhere.
The costs are way higher than any benefits. Not really sure what the point is of rehashing this over and over again. The whole discussion is already here. If you understand that you need userns, just build your own kernel. Well, most other namespaces are used by non container software sometimes, see systemd.
Войти на сайт
User namespaces probably also are although not sure. And all namespaces are currently enabled by default, userns is the only exception. So not sure this argument holds, security concerns make more sense to me. Yes, I meant security concerns. Enabling all namespaces except userns makes sense because with them -ARCH kernels are usable without sacrificing security.
And btw, systemd uses namespaces also for containers So breaking out of such a container would give them only normal user privileges outside. But not sure what nature do the most cves relating to user namespaces have, so that theory may be too optimistic. What about giving containers to untrusted users? They could exploit many of the same vulnerabilities, so for someone hosting containers as virtual private servers, attack surface would be probably quite similar, no matter if unprivileged user namespaces are or are not allowed.
Exposing unprivileged user namespaces reduces application container security along with the security of the system as a whole. In that case, the userspace OS in the container needs a quasi-root and user namespaces provide that. On linux-hardened, user namespaces are enabled and can be used to replace root with an isolated quasi-root. If you really want to accept the drawbacks of unprivileged access you can enable it. So someone could use things like lxc now for the same purpose.
Enabling this for the linux package would be fine if it was disabled by default via the user. Unless the package maintainers are willing to apply a patch making user. By holding off on enabling this, Arch Linux played a large part in making the alternate approach in bubblewrap into a reality.
Otherwise, they could have just assumed unprivileged user namespaces were present rather than making a safer implementation.
FS#36969 - [linux] 3.13 add CONFIG_USER_NS
Until something like the Chromium sandbox has a hard dependency on this, I think Arch should continue down the current path. Waiting until they make the feature safe makes sense. It has so little utility compared to the danger it creates.
AFAIK no one has suggested that enabling compiled-in support but disabling it via the upstream sysctl knob, is any less secure than simply not enabling compiled-in support. But most all? And, bugs are, well, bugs.