| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Privilege escalation |
|
| Description |
| + |
Giuseppe Scrivano discovered that overlayfs did not properly perform permission checking when copying up files in an overlayfs, and can be exploited from within a user namespace, if, for example, unprivileged user namespaces are allowed. |
| + |
An attacker can abuse this to get read access to files on the system that they would not normally be permitted to access. |
|
| References |
| + |
https://www.openwall.com/lists/oss-security/2020/10/13/6 |
|
| Notes |
| + |
Mitigation on systems where unprivileged user namespaces are enabled |
| + |
but not needed is to set the kernel.unprivileged_userns_clone sysctl |
| + |
to 0. e.g.: |
| + |
|
| + |
$ sudo sysctl kernel.unprivileged_userns_clone=0 |
| + |
|
| + |
and across reboots by adding a file in /etc/sysctl.d/ that contains: |
| + |
|
| + |
kernel.unprivileged_userns_clone=0 |
|