You are not logged in.

Pages: 1

#1 2022-12-22 02:04:14

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,132

Best non-ideal practice re. Zoom & user namespaces vs. setuid

This week I happened across the wiki's advice to use

kernel.unpriveleged_userns_clone = 0

Unfortunately, this setting is incompatible with Zoom, which simply dumps core on attempted launch. Judging from the comments on the AUR page, Zoom requires either setuid root or the user namespaces. The conclusion there is somewhat divided, but neither option is exactly ideal.

Here's my understanding of the two options:

  1. Setting setuid root on the binary gives Zoom immediate root privileges with nothing required to access whatever kernel code it wants, but it does not give any other processes elevated privileges. In particular, it does not affect other processes when Zoom is not running.

  2. Allowing user namespaces affects everything, but there is some obstacle to processes accessing worrying bits of kernel code.

I've heard a lot about namespaces but, if I'm honest, I do not really understand this. If this setting was really only a short step from granting root privileges to everything, then setuid root on a single binary would surely be preferable. But I'm also confident the setting would not be default, so I think it cannot be quite as my interpretation of that discussion suggests.

I had thought user namespaces were about containing/limiting processes - that they were used to enable things like 'containers'. Obviously, allowing anything is less secure than allowing nothing, but I thought they were intended to allow various things to be done in less risky ways.

  1. Would it be safer to run Zoom setuid root?

  2. If not, is there a reason not to change the kernel setting only when running Zoom? Would there be any point in even trying to do this?

  3. Is there any better alternative than the two mentioned above?

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#2 2022-12-22 02:24:33

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,514
Website

Re: Best non-ideal practice re. Zoom & user namespaces vs. setuid

I too don't really understand much about these user namespaces and unprivileged user namespaces.  And I'm partially commenting here to ensure I follow this thread to get input from those who know about these.  However, one thing I'm quite confident about is that running zoom as setuid/root would be an absolute horrific recipe for disaster.  If anyone claims that my current running of the vanilla arch kernel without any additional security settings is even half as risky as running zoom as root, then I'd be convinced that the entire linux ecosystem is completely doomed and I'd be feel a need to consider BSD or just going back to WinMacWhatever.

But another alternative may be to just use zoom in a browser.  I've found that much easier to use than running the actual zoom "app", at least for the past couple years.  Once upon a time the in-browser experience on the zoom web page was pretty limited, but now it's reasonably good.  I don't know whether using zoom via a browser would work with the above-mentioned namespace security setting though - I've never enabled it.  But it might be worth a test.

Side note: I'm getting some groups to convert to Jitsi, but zoom is still an unfortunate necessity.

Last edited by Trilby (2022-12-22 02:31:55)

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2022-12-22 03:14:43

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,132

Re: Best non-ideal practice re. Zoom & user namespaces vs. setuid

Trilby wrote:

I too don't really understand much about these user namespaces and unprivileged user namespaces.  And I'm partially commenting here to ensure I follow this thread to get input from those who know about these.  However, one thing I'm quite confident about is that running zoom as setuid/root would be an absolute horrific recipe for disaster.  If anyone claims that my current running of the vanilla arch kernel without any additional security settings is even half as risky as running zoom as root, then I'd be convinced that the entire linux ecosystem is completely doomed and I'd be feel a need to consider BSD or just going back to WinMacWhatever.

Thanks. I found the discussion a bit alarming, but I'm hoping (?!) I've either misunderstood or they have.

Trilby wrote:

But another alternative may be to just use zoom in a browser.  I've found that much easier to use than running the actual zoom "app", at least for the past couple years.  Once upon a time the in-browser experience on the zoom web page was pretty limited, but now it's reasonably good.  I don't know whether using zoom via a browser would work with the above-mentioned namespace security setting though - I've never enabled it.  But it might be worth a test.

I don't know anything about doing this. I didn't even know it was possible. I've joined Zoom sessions from links, but the browser has always led to the application starting. I think I might have heard of this for joining, though I don't know how to do it that way, but I didn't know you could use it more generally. Does it have the same functionality or are there limitations?

Trilby wrote:

Side note: I'm getting some groups to convert to Jitsi, but zoom is still an unfortunate necessity.

Thanks. An alternative would be good for personal use, but Zoom is endorsed by my uni. For work, the alternatives would be Teams (for meetings) or Blackboard's Collaborate (if I need to switch to online teaching). I'm not sure either of those would work for meetings with students. And, of course, it's not always my call anyway. Plus, I'd frankly rather use Zoom than either.

I also admit that I prefer to use something I'm comfortable with when I'm responsible for making things work. Even when 'comfortable with' means knowing the quirks and having classes of students trained to cooperate in workarounds .... If Zoom fails, that's an IT problem. If Jitsi failed, that would be my problem! sad

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#4 2022-12-22 04:48:00

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,514
Website

Re: Best non-ideal practice re. Zoom & user namespaces vs. setuid

For zoom in a browser, you start at the same page as you would otherwise, but rather than the "open in zoom" button, use the small link lower on the page that says something like "join from your browser".

cfr wrote:

Does it have the same functionality or are there limitations?

A year or two ago the web implementation was pretty limited.  You could not select different views (I think "speaker view" was the only option).  But the browser version has caught up in every way that I'm aware of (gallery view is available, mirror your own video is available, etc - even "backgrounds").  But I've not used the zoom "app" in ages, so it may have some options that are not (yet) in the web implementation.

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Pages: 1

Board footer

Powered by FluxBB