Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mstdn.io/users/wolf480pl/statuses/113549718809622593">Wolf480pl (wolf480pl@mstdn.io)'s status on Tuesday, 26-Nov-2024 23:51:17 JST</a><a href="https://mstdn.io/@wolf480pl" title="wolf480pl@mstdn.io"><img src="https://gnusocial.jp/avatar/6007-48-20250211223719.webp" width="48" height="48" alt="Wolf480pl" style="position: absolute; left: 0; top: 0;">Wolf480pl</a><div><a href="https://gnusocial.jp/notice/7960489" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/105501" title="quad@akko.quad.moe">Quad</a></li></ul></div></section><article><p><a href="https://queer.hacktivis.me/users/lanodan">@lanodan</a> <a href="https://akko.quad.moe/users/quad">@quad</a> <br>No.<br>If unprivileged userNS is enabled, *any* user can just:<br>- clone(CLONE_NEWUSER), getting a fresh userNS in which it has all the capabilities<br>- unshare(CLONE_NEWNET), getting a new netNS, which belongs to its own userNS</p><p>any unprivileged process that does that ends up in a new netNS in which it as CAP_NET_ADMIN.</p><p>That netNS isn't used by anything else, so it can't really affect any network traffic going through the system.</p><p>But it gets its own copy of iptables it can mess with.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4073455#notice-7960807">In conversation</a><time datetime="2024-11-26T23:51:17+09:00" title="Tuesday, 26-Nov-2024 23:51:17 JST">about 3 months ago</time> <span>from <span><a href="https://mstdn.io/@wolf480pl/113549718809622593" rel="external" title="Sent from mstdn.io via ActivityPub">mstdn.io</a></span></span><a href="https://mstdn.io/@wolf480pl/113549718809622593">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Tuesday, 26-Nov-2024 23:51:17 JSTWolf480pl
in reply to
- Haelwenn /элвэн/ :triskell:
- Quad
@lanodan @quad
No.
If unprivileged userNS is enabled, *any* user can just:
- clone(CLONE_NEWUSER), getting a fresh userNS in which it has all the capabilities
- unshare(CLONE_NEWNET), getting a new netNS, which belongs to its own userNS
any unprivileged process that does that ends up in a new netNS in which it as CAP_NET_ADMIN.
That netNS isn't used by anything else, so it can't really affect any network traffic going through the system.
But it gets its own copy of iptables it can mess with.
In conversationabout 3 months ago from mstdn.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice