Linux user namespaces security concerns

User Namespaces Security

If you don’t use user namespaces in production and run vanilla (without out-of-tree patches) mainline kernel then better to disable them.

Security concern

User namespaces is an isolation feature of Linux kernel, which allows unprivileged process (non-root) to create it’s own user namespace, where the process has full privileges (root), but stays unprivileged in previous user namespace. In theory this allows to safely run untrusted code as root inside such namespace without jeopardizing the host and without using virtualization, which is used nowdays for this purpose.

The concern is that by default, any unprivileged process in the system can create his own user namespace and gain privileges inside of it. This increases attacksurface of the kernel, as the process gets access to system calls behind CAP_SYS_ADMIN capability. As implementation of these system calls was written
with assumption that only privileged (hence trusted) process can invoke them and there are corner cases which can be exploited to gain privileges or execute arbitrary code outside of current namespace i.e. on the host.

Solutions

A. Recompile

So if you don’t use this feature (e.g. don’t use unprivileged Docker, LXC, etc.) thenit’s probably a good idea to disable user namespaces to prevent unwanted use of them. To fully disable them you need to recompile Linux kernel without CONFIG_USER_NS=y option. As most people use distro kernel, this approach brings a lot of burden on user, thus undesireable in most circumstances.

B. Disable namespaces

If your distro ships kernel with CONFIG_USER_NS=y option then you can disallow any user to create new user namespace by setting user.max_user_namespaces sysctl knob to zero, like this:
sysctl -w user.max_user_namespaces=0
It applies to all users in user namespace. To make it persistent you need to add line:
“user.max_user_namespaces=0”
to /etc/sysctl.conf or /etc/sysctl.d/ depending on your distro.

C. Kernel patch

Distros which ship kernel with CONFIG_USER_NS=y usually apply out-of-tree kernel patch[3], which adds sysctl knob kernel.unprivileged_userns_clone which is set to 0 by default, it means that by default only root or process with CAP_SYS_ADMIN privilege can create new user namespaces.

At least these distros do that (December 2017):

  • Ubuntu
  • Debian
  • Arch Linux

CentOS has user.max_user_namespaces set 0 by default.

So if you use any distro except these then it’s a good idea to doublecheck default values of these sysctl knobs.

References:
[1] http://man7.org/linux/man-pages/man7/user_namespaces.7.html
[2] https://www.kernel.org/doc/Documentation/sysctl/user.txt
[3] https://anonscm.debian.org/git/kernel/linux.git/tree/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

One Response

Leave a Reply