scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-02 11:28:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: fix: typo and clarity

Browse Source
This commit is contained in:
qoijjj
2024-01-21 21:40:42 -08:00
committed by GitHub
parent 64e5c3cd39
commit a1fa2ab1bc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
USERNS.md
View File

@@ -1,3 +1,3 @@
# User namespaces
[User namespaces](https://en.wikipedia.org/wiki/Linux_namespaces#User_ID_(user)) are a kernel feature introduced in kernel version 3.8. When an unprivileged user asks the kernel to create a namespace, the kernel needs to permit that user to do so. Whether this is permitted by the kernel is controlled via a sysctl flag. There is [some history](https://madaidans-insecurities.github.io/linux.html#kernel) (albeit fairly old history) of vulnerabilities made possible by allowing this functionality for unprivileged users. Given this history, you might think we should just disable this functionality altogether. However if this functionality is disabled, then flatpak can't function without the suid bit seton the bubblewrap binary. This means that bubblewrap runs as root so it can create namespaces on behalf of the user, instead of the kernel doing so. This means trusting bubblewrap (a significantly less battle-tested piece of software than the kernel) to run as root. However, some see this as still a preferable tradeoff (trusting one small program with root in exchange for reducing the kernel's attack surface). Ultimately we leave both in because it's a tradeoff and neither is demonstrably preferable from a security standpoint.
[User namespaces](https://en.wikipedia.org/wiki/Linux_namespaces#User_ID_(user)) are a kernel feature introduced in kernel version 3.8. When an unprivileged user asks the kernel to create a namespace, the kernel needs to permit that user to do so. Whether this is permitted by the kernel is controlled via a sysctl flag. There is [some history](https://madaidans-insecurities.github.io/linux.html#kernel) (albeit fairly old history) of vulnerabilities made possible by allowing this functionality for unprivileged users. Given this history, you might think we should just disable this functionality altogether. However if this functionality is disabled, then flatpak can't function without the suid bit set on the bubblewrap binary. In this scenario bubblewrap creates namespaces on behalf of the user instead of the kernel, by running as root. This means trusting bubblewrap (a significantly less battle-tested piece of software than the kernel) to run as root. However, some see this as still a preferable tradeoff (trusting one small program with root in exchange for reducing the kernel's attack surface). Ultimately we leave both in because it's a tradeoff and neither is demonstrably preferable from a security standpoint.