Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permis

acl-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permis

From:	Christian Brauner
Subject:	Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces
Date:	Wed, 30 Aug 2023 10:18:22 +0200

On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the Linux man-pages project.
> ---
>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>  Linux 3.12 added support for the last of the unsupported major filesystems,
>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>  XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces 
> the
> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.

For the content,
Acked-by: Christian Brauner <brauner@kernel.org>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces, (continued)
- Re: [PATCH 0/3] Document impact of user namespaces and negative permissions, Alejandro Colomar, 2023/08/29
  - Re: [PATCH 0/3] Document impact of user namespaces and negative permissions, Richard Weinberger, 2023/08/29
- [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29
  - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Alejandro Colomar, 2023/08/29
    - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29
    - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Alejandro Colomar, 2023/08/29
    - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Alejandro Colomar, 2023/08/29
    - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29
    - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Alejandro Colomar, 2023/08/30
  - Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces, Christian Brauner <=
- [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29
  - Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces, Christian Brauner, 2023/08/30

Prev by Date: Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces
Next by Date: Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces
Previous by thread: Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces
Next by thread: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces
Index(es):
- Date
- Thread