Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's the default on pretty much any modern Linux system!


From 2016- https://lwn.net/Articles/673597/

Andy Lutomirski described some concerns of his own:

> I consider the ability to use CLONE_NEWUSER to acquire CAP_NET_ADMIN over /any/ network namespace and to thus access the network configuration API to be a huge risk. For example, unprivileged users can program iptables. I'll eat my hat if there are no privilege escalations in there.


I hope he hasn't been eating his hat all these years. I hear that isn't good for the digestive system... /s




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: