Linux supports the user namespace feature. The feature enables processes to have different user IDs and group IDs in different user namespaces to isolate permissions. However, enabling the user namespace feature increases the risk of privilege escalation attacks to the system. Attackers may exploit system vulnerabilities to obtain privileged permissions and escape the system permission control. This topic describes how to configure security hardening for user namespaces in Alibaba Cloud Linux 2 and 3 operating systems. You can modify kernel parameters to cater to specific business scenarios.
Configure security hardening for user namespaces
You can configure the following parameters based on your business requirements to reduce risks:
Configure the user.max_user_namespaces parameter to specify the maximum number of child namespaces that you can create under a parent namespace at each level.
Configure the kernel.userns_max_level parameter to specify the maximum nesting depth of namespaces.
Configure the kernel.unprivileged_userns_clone parameter to grant the permissions to create namespaces to non-privileged users who do not have CAP_SYS_ADMIN permissions.
user.max_user_namespaces
A value of 0 indicates that the user namespace feature is disabled, which prevents namespaces from being created.
Query the maximum number of child namespaces that can be created under a parent namespace at each level.
/procinterfacecat /proc/sys/user/max_user_namespacessysctlinterfacesysctl -n user.max_user_namespaces
Specify the maximum number of child namespaces that can be created under a parent namespace at each level.
Replace
<namespaces>with the maximum number of child namespaces that you want to create under a parent namespace at each level. For example, if you want to disable namespace creation, set the<namespaces>parameter to0./procinterfacesudo sh -c 'echo <namespaces> > /proc/sys/user/max_user_namespaces'sysctlinterfacesudo sysctl -w user.max_user_namespaces=<namespaces>
kernel.userns_max_level
Limits
Alibaba Cloud Linux 2 with kernel version 4.19.91-27 and later
Alibaba Cloud Linux 3 with kernel version 5.10.134-12 and later
Valid values of the kernel.userns_max_level parameter: 0 to 33. A value of 0 indicates that the user namespace feature is disabled. Default value: 33, which is consistent with the native kernel behavior.
Query the maximum nesting depth of namespaces.
/procinterfacecat /proc/sys/kernel/userns_max_levelsysctlinterfacesysctl -n kernel.userns_max_level
Specify the maximum nesting depth of namespaces.
Replace
<levels>with the maximum number of levels for nested user namespaces. For example, if you want to disable the user namespace feature, set the<levels>parameter to0./procinterfacesudo sh -c 'echo <levels> > /proc/sys/kernel/userns_max_level'sysctlinterfacesudo sysctl -w kernel.userns_max_level=<levels>
kernel.unprivileged_userns_clone
Limits
Alibaba Cloud Linux 2 with kernel version 4.19.91-27 and later
Alibaba Cloud Linux 3 with kernel version 5.10.134-12 and later
Allowing non-privileged users to create namespaces may increase the risk of privilege escalation attacks. Valid values of the kernel.unprivileged_userns_clone parameter:
1: allows non-privileged users who do not have the CAP_SYS_ADMIN permissions to create namespaces, which is consistent with the native kernel behavior.
0: does not allow non-privileged users who do not have the CAP_SYS_ADMIN permissions to create namespaces. In this case, only privileged users who have the CAP_SYS_ADMIN permissions can create namespaces.
Query whether non-privileged users who do not have the CAP_SYS_ADMIN permissions can create namespaces.
/procinterfacecat /proc/sys/kernel/unprivileged_userns_clonesysctlinterfacesysctl -n kernel.unprivileged_userns_clone
Specify whether non-privileged users who do not have the CAP_SYS_ADMIN permissions can create namespaces based on your business requirements.
/procinterfaceecho 0 > /proc/sys/kernel/unprivileged_userns_clonesysctlinterfacesysctl -w kernel.unprivileged_userns_clone=0