On November 15, 2014 6:05:11 PM PST, Theodore Ts'o <tytso@xxxxxxx> wrote: >On Sat, Nov 15, 2014 at 12:20:42PM -0800, Josh Triplett wrote: >> > However, sudoers seems to allow negative group matches. So maybe >> > allowing this only with no_new_privs already set would make sense. >> >> Sigh, bad sudo. Sure, restricting this to no_new_privs only seems >fine. >> I'll do that in v2, and document that in the manpage. > >I've also seen use cases (generally back in the bad old days of big >timesharing VAX 750's :-) where the system admin might assign someone >to the "games-abusers" group, and then set /usr/games to mode 705 >root:games-abusers --- presumably because it's easier to add a few >people to the deny list rather than having to add all of the EECS >department to the games group minus the abusers. > >So arbitrarily anyone to drop groups from their supplemental group >list will result in a change from both existing practice and legacy >Unix systems, and it could potentially lead to a security exposure. As Andy pointed out, you can already do that with a user namespace, for any case not involving a setuid or setgid (or otherwise privilege-gaining) program. And requiring no_new_privs handles that. Given the combination of those two things, do you still see any problematic cases? - Josh Triplett -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
