New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix userns_enabled? check for unprivileged_userns_clone #11017

Merged
merged 1 commit into from Nov 26, 2018

Conversation

Projects
None yet
3 participants
@bcoles
Contributor

bcoles commented Nov 25, 2018

The unprivileged_userns_clone sysctl parameter may not be present on the target system.

On Fedora 28 Workstation, /proc/sys/kernel/unprivileged_userns_clone is not present (nor is userns_restrict), and the system fails open in its absence, allowing unprivileged users to create user namespaces.

Prior to this patch, the userns_enabled? method would falsely report unprivileged user namespaces as disabled in the event that the unprivileged_userns_clone sysctl parameter was not present.

The Boolean check for a value of 1 was causing the userns_enabled? method to incorrectly return false, as cat /proc/sys/kernel/unprivileged_userns_clone was returning cat: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory.


diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb
index 4b6faf6..831a2f6 100644
--- a/lib/msf/core/post/linux/kernel.rb
+++ b/lib/msf/core/post/linux/kernel.rb
@@ -105,7 +105,8 @@ module Kernel
   #
   def userns_enabled?
     return false if cmd_exec('cat /proc/sys/user/max_user_namespaces').to_s.strip.eql? '0'
-    cmd_exec('cat /proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '1'
+    return false if cmd_exec('cat /proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '0'
+    true
   rescue
     raise 'Could not determine userns status'
   end

@busterb busterb self-assigned this Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

LGTM, thanks @bcoles

@busterb busterb merged commit 8f07f29 into rapid7:master Nov 26, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Nov 26, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

Release Notes

This fixes the userns_enabled? method for Linux kernel post module capability detection when the unprivileged_userns_clone or proc file entries are unavailable.

@bcoles bcoles deleted the bcoles:lib-linux-kernel-userns branch Nov 26, 2018

@gdavidson-r7 gdavidson-r7 added the rn-fix label Dec 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment