Also user namespaces have had a long list of vulnerabilities, but that's still better than running docker as root directly.

▲

cpuguy83 3 days ago | parent | next [-]

That is a ridiculous statement. In the case of userns exploits there have been many and it means that every unprivileged user can obtain root on the machine.

Whereas rootful docker is a well known thing, run on millions of machines, and none of the vulnerabilities discovered in its entire existence is as bad as any single priv escalation issue caused by allowing unprivileged users to create a user namespace.

▲

LtWorf 3 days ago | parent [-]

Lol that's just like saying having no door is better because some people can pick locks and occasionally open doors.

	▲	cpuguy83 3 days ago \| parent [-]
		No, it's saying the door is a lie. At least within the context of your statement about vulnerabilities.

▲

jeffbee 3 days ago | parent | prev [-]

Hrmm. "Take over the entire machine" type vulnerabilities, or "these namespaces weren't quite as isolated as we thought" vulnerabilities?

	▲	chupasaurus 3 days ago \| parent \| next [-]
		The latter can easily propagate to the former if seccomp/AppArmor/MAC isn't set properly.
	▲	cpuguy83 3 days ago \| parent \| prev \| next [-]
		Escalating from an unprivileged user to root by creating userns and exploiting various things in the kernel along the way.
	▲	LtWorf 3 days ago \| parent \| prev [-]
		CVEs are publicly available