User NS usage and attack surface mitigation on debian
I stumbled upon this answer from three years ago (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446)
"User namespaces *are* enabled - but by default, they can only be created by root".
I need clarifications on that, cause I didn't quite know how namespace management works.
I experimented a bit, from what I got it creates a namespace originating from the user asking it, and using it as normal user was disabled by default because it clearly adds lots of attack surface by exposing code that would normally be used by just root. Also in this little space there is a mapping between namespace users and originating user
What I didn't quite got is, does this patch allow creating namespaces belonging to an user from root, thus avoiding the possibility of privilege escalation, or having user namespaces running from unprivileged users is a threat by itself?
I ask this because I'm particularly concerned about unprivileged containers support. While it is certainly good not having access to critical pieces of the linux kernel to regular UIDs it may be counterproductive in cases of a single user deputated just for running unprivileged containers, if there is no other way of creating such unprivileged namespaces
If there are some infos I'm missing please explain them or link resources, I searched what I could but apparently it wasn't enough
Reply to: