💥🔧 Ubuntu's #unprivileged user namespace restrictions are about as useful as a chocolate teapot, as revealed by three new bypasses. Meanwhile, #security advisories pile up like unread emails, and #Ubuntu users everywhere double down on their favorite pastime: keeping their fingers crossed. 🤞📧
https://seclists.org/oss-sec/2025/q1/253 #Bypass #UserNamespace #Vulnerabilities #HackerNews #ngated

OSS-SEC: Three bypasses of Ubuntu's unprivileged user namespace restrictions

https://seclists.org/oss-sec/2025/q1/253

#HackerNews #OSSSEC #Ubuntu #Security #Vulnerabilities #UserNamespace #Bypasses #OpenSource

#TIL: #Firefox on #Linux works fine with

user.max_user_namespaces = 0

as well as with

user.max_user_namespaces = 100

but not with

user.max_user_namespaces = 1

which seems to have been set by default on my #DebianUnstable since last week or so.

Also Firefox' error messages on the shell where I started it weren't really that helpful:

Failed to launch tab subprocess @fork (Error:28): file ipc/[…]
fork() failed: No space left on device: file ipc/[…]

#UserNS #UserNamespace #sysctl

@ktn @ct_Magazin @heiseonline @jolla

Schon cool. Aber ist es auch annähernd so sicher?

#Android hat einen minimalen #Kernel, und Alternativen für alles mögliche wie glibc/bionic.

Auch der #SELinux support ist einzigartig, nichtmal #Fedora oder #RHEL verwenden SELinux wirklich start zum #sandboxing

Das läuft ohne #usernamespace.s mit separaten #UID.s, eine super simple #Unix-Funktion.

#Bluetooth ist isoliert. #USB-port (bei #GooglePixel mit #GrapheneOS) kann ich in der Hardware ausmachen