Comment by holowoodman

holowoodman 1 day ago parent

For the last 10 years or so, namespaces in Linux were the source of the absolute hightest number of local privilege escalations and sometimes even arbitrary code executions in kernel space. Building a kernel without user namespace support has been goto-advice for multiuser systems for almost as long. Ubuntu is just late to the game because they mostly have server or single-user-desktop customers.

NexRebular 1 day ago

I've even seen namespaces used for hiding malicious software in Ubuntu systems too.

stefan_ 1 day ago

Actually I think device drivers got you beat there, but no ones suggesting we break them for users safety. Ubuntu today is more user hostile than Windows.

holowoodman OP 1 day ago

Device drivers are worse if you just count the numbers. But they are usually far less exploitable because very often you need to have the corresponding hardware plugged in or even need to manipulate said hardware to provide crafted inputs. So in reality, device driver problems are almost never exploitable.

ranger_danger 1 day ago

Seems ironic considering namespaces are highly utilized for isolation/security purposes.

immibis 1 day ago

I presume they're left enabled for root.

stefan_ 1 day ago

The same software that wants to use namespaces for isolation will refuse to run as root.

immibis 6 minutes ago

Not true. Docker, for example. There's plenty of cases where you set up an isolation environment as root and then use it as non-root.

This item has no comments currently.