Zack's Kernel News

Article from Issue 195/2017

Author(s): Zack Brown

Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.

Cgroups Xattr Security

Serge E. Hallyn said that within a user namespace (i.e., a virtual machine), a root user could not be allowed to write a security.capability extended attribute (xattr). If it could, then any user within that namespace could su to root, write the xattr, and execute the file with those security privileges on the host machine.

On the other hand, the root user on the host machine could absolutely be allowed to write a security.capability xattr because, of course, they're the root user. This is one of the many examples of ways in which security considerations require strange feature curtailment within virtual machines.

Nonetheless, if something behaves differently on the virtual machine than on the host, that represents a fundamental incompatibility that would affect things like software portability and reliability.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia