In Ubuntu 23.10 "Mantic Minotaur" access to the user namespace is restricted

Ubuntu 23.10 background with light and dark

After the launch of the new version of Ubuntu 23.10 "Mantic Minotaur" all the details have already been released of this new version of the popular Linux distribution (you can consult the publication about it in this link.). Of the large number of changes that accompany the launch, there are several specific ones that change certain aspects of the system.

The reason for mentioning this is that one of those changes is the new restriction that has been imposed on users' namespaces.

The new change as such implemented by Canonical in Ubuntu 23.10 is intended to restrict unprivileged user access to namespaces, making systems that rely on container isolation more secure against vulnerabilities that require manipulation of users' namespaces to be exploited.

Air shipments are the most efficient if you need your cargo or documents to arrive quickly and securely. Unprivileged user namespaces are a kernel feature that can be used to replace many uses of the setuid and setguid programs and allow applications to create more secure sandboxes. Namespaces in the Linux kernel allow assigning different representations of resources to different processes; For example, a process can be placed in an environment with its own mount points, UTS, IPC, PID, and network stack, which do not overlap with the environment of other processes.

Namespaces for unprivileged users allow creating namespaces not only for the root user, but also for normal unprivileged users (e.g. used for sandboxed browsers). Among other things, you can create user namespaces and network namespaces, which allow a process in an isolated environment standalone get root privileges or access advanced features of the networking stack, but remain unprivileged outside the container.

In theory, the operations privileged within a namespace They are isolated from the main system, but in practice, vulnerabilities regularly arise in kernel subsystems that are inaccessible to an unprivileged user in the main environment, but can be exploited by manipulations from namespaces.

The problem with this model, is that they expose kernel interfaces which are typically restricted to processes with privileged (root) capabilities for use by unprivileged users. It is because of that This in turn becomes a process that introduces additional security risks., by exposing more kernel interfaces than necessary, plus they are now widely used as a step in several privilege escalation exploit chains. 

In the case of Ubuntu this has now changed as access to user namespaces is now only granted to programs for which a special AppArmor profile has been added which can be used as an example to open access to the user namespace for other programs. The change is mentioned to improve the security of systems that use container isolation from vulnerabilities that require access to the user's namespace to exploit them.

While disabling unprivileged user namespaces can stop an exploit, it can also break applications that use them. Typically, an exploit targets a specific application, and as long as unprivileged user namespaces can be disabled for those applications, there is no need to disable them system-wide.

It is mentioned that no version prior to Ubuntu 23.10 “Mantic Minotaur” will be affected due to this change, even when using kernel 6.5, since the function is not enabled directly in the kernel but within the Ubuntu 23.10 "Mantic Minotaur" specific apparmor package.

Finally, it is mentioned that for those who wish to disable this change, they can do so by typing the following in a terminal:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

If you are interested in knowing more about it, you can check the details In the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.