Linux user namespaces: a blessing and a curse - Ignat Korchagin - NDC TechTown 2024 скачать в хорошем качестве

Linux user namespaces: a blessing and a curse - Ignat Korchagin - NDC TechTown 2024

This talk was recorded at NDC TechTown in Kongsberg, Norway. #ndctechtown #ndcconferences #developer #softwaredeveloper Attend the next NDC conference near you: https://ndcconferences.com https://ndctechtown.com/ Subscribe to our YouTube channel and learn every day: / ‪@NDC‬ Follow our Social Media!   / ndcconferences     / ndc_conferences     / ndc_conferences   #OS #security #linux Unprivileged Linux user namespaces is a rather controversial topic in the security community, Linux Kernel community and in software engineering in general. On one side it allows building unprivileged and sandboxed services and applications, which would otherwise require elevated privileges to successfully run and provide features to their users. Not granting privileges to such applications follows the least privilege principle and makes our systems more secure. On the other side, this mechanism has been repeatedly used in various vulnerabilities and exploits as a starting attack vector, multiplying the damage and impact of these exploits. And since it became so popular within the offensive industry, many Linux distributions and security guidances started recommending disabling this feature altogether. There is an ongoing debate whether unprivileged user namespaces provide more security or make the system more vulnerable. In this presentation we will review how user namespaces might help building sandboxed secure applications. But we will also show how a recently discovered Linux kernel bug turned into a security vulnerability just because user namespaces are available on the system. Finally, we will give recommendations on how to get the best of both worlds: allow well-behaved applications to utilize user namespaces for better security, while blocking the feature for potentially malicious users/code.