Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think OP is referring to the "unprivileged user namespaces" [1] feature of Linux, which caused numerous security incidents in the past. AFAIK, this is mainly because with this feature enabled, unprivilged users can create environments/namespaces which allow them to exploit kernel bugs much more easily. Most of them revolve around broken permission checks (read: root inside container but not outside, yet feature X falsely checks for the permissions _inside_). [2] has a nice list of CVEs caused by unprivileged user namespaces. Given that rootful docker e.g. is also prone to causing security issues, it's ultimately an attacker model / pick-your-poison situation though.

[1] https://www.man7.org/linux/man-pages/man7/user_namespaces.7....

[2] https://security.stackexchange.com/a/209533



Doesn't the Chromium sandbox, the gold standard for browser sandboxes, use user namespaces?

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/l...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: