Skip to content

Disable namespace remapping for chown cleanup #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
HackAttack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Disable namespace remapping for chown cleanup #283

HackAttack wants to merge 1 commit into from

Conversation

@HackAttack
Copy link
Contributor

@HackAttack HackAttack commented May 31, 2025

This feature breaks our ability to effectively become root (by design).

@HackAttack HackAttack requested a review from a team as a code owner May 31, 2025 00:56
@toote
Copy link
Contributor

toote commented Jun 3, 2025

Could you provide more information about the exact issue you are trying to solve? I am not sure I understand what it is.

@HackAttack
Copy link
Contributor Author

HackAttack commented Jun 3, 2025
edited
Loading

In order for the chown cleanup to work, we have to be root (to be able to delete root-owned files). Since we can’t assume sudo will work, the “trick” to becoming root is to run a container as root and mount in the directory we want to clean. In Docker’s default configuration, root in the container is root outside the container, but this is a security hole which Docker allows you to avoid with user namespaces. But we need to exploit that security hole to do what we’re trying to do! So we disable the protection on a per-container basis.

@toote
Copy link
Contributor

toote commented Jun 3, 2025

Makes sense! Would you be able to also document that in the chown option so that it is not a surprise for those running the plugin?

@HackAttack
Copy link
Contributor Author

HackAttack commented Jun 3, 2025

What do you think should be documented? This change seems like a bug fix that should be transparent to users. Before this change, the chown option would not work if userns-remap was enabled—now it should. I’m not sure the implementation details of how it works should be in the documentation?

@toote
Copy link
Contributor

toote commented Jun 3, 2025

Just that the chown option will run a container that will share the host's user namespace. Some security people may have issues with that and we want to disclose that kind of things just in case.

@HackAttack
Disable namespace remapping for chown cleanup
86c5420 
This feature breaks our ability to effectively become root (by design).
@HackAttack HackAttack force-pushed the disable-userns-remap-for-chown branch from fb7797e to 86c5420 Compare October 1, 2025 21:15
@HackAttack
Copy link
Contributor Author

HackAttack commented Oct 1, 2025

Ok, done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HackAttack @toote