[arch-general] user namespaces

sivmu sivmu at web.de
Thu Feb 2 17:36:20 UTC 2017 


Am 02.02.2017 um 17:45 schrieb Daniel Micay via arch-general:
> SubgraphOS doesn't use user namespaces.

It also is not a lightweight solution that compares to the tools in
question for that matter. But I get your point.


>> I was under the impression that all
>> namespaces were enabled by default. That changes things to some
>> extend.
> 
> All but user namespaces. The other namespaces do not present any real
> risk by default, since only privileged users have access to them. User
> namespaces greatly reduce security unless they are disabled at runtime.
> A system designed around user namespaces can make sure that EVERYTHING
> runs in a user namespace with user namespaces disabled within them, but
> on a general purpose system it's a big problem, and that's also the case
> for a general purpose system with a few sandboxes. Not to mention that
> user namespaces accomplish essentially nothing for security and the only
> reason you or anyone else wants them is fact that they open up the
> unpriv use can of worms, but it's much less secure than alternative
> approaches to that. It is NOT necessary or even desirable for that. It
> is only wanted for the political reasons I've already gone into.
> 

I get it. User namespaces privide a wide attack surface to the kernel
and decrease security and as you pointed out, the only reason to use it
is to get access to priviliges features like other namespaces as an
unprivileged user.

The reason me and I dare to say likely many others cling to this feature
is the impressive isolation namespaces provide for sandboxing and I do
not see comparable ways to do this.

But I agree that we need secure sandboxing solutions.

Using bubblewrap with suid on a system without unprivileged user
namespaces would be the closest thing I know right now.


>>
>> Not that there are not enoght weak points in sandboxing as long as
>> things like X11 are available.
> 
> The point is that they are truly not usable for sandboxing desktop apps
> and that's the only niche that's not well covered already.
> 

Would you care to elaborate this point?
As said before I think things like flatpak/bubblewrap can be used if
carefully designed.
If your point is that it does not allow normal users to safely use it
without detailed knowledge of sandboxing weakpoints i would agree. But
other then that it is kind of lost on me what draws you to this
conclusion. Or rather what would qualify as secure sandbox in your opinion.



> 
> Separately from that, generic sandboxing is a lot weaker than integrated
> sandboxing which you imply by stating *strong* seccomp filters. In that
> case namespaces are not really required.

In regards to sandboxing desktop applications, seccomp would not be
enough. Even wayland cannot be secured without further isolation:
https://github.com/MaartenBaert/wayland-keylogger

And I have yet to find a successful attempt to filter socket
communication for blocking dbus.

Still hoping for bus1 to evolve soon.


> I doubt it. Anyway, linux-grsec is in the official repositories. No one
> really wants / needs user namespaces though. They want *unprivileged*
> access to namespaces.

Then I will drop this topic as it has become clear to me that you know
what you are talking about here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170202/7065861d/attachment.asc>

More information about the arch-general mailing list