On Sun, Nov 16, 2014 at 07:42:30AM -0800, Andy Lutomirski wrote: > On Sun, Nov 16, 2014 at 5:32 AM, Theodore Ts'o <tytso@xxxxxxx> wrote: > > On Sat, Nov 15, 2014 at 09:08:07PM -0600, Eric W. Biederman wrote: > >> > >> That may be a bug with the user namespace permission check. Perhaps we > >> shouldn't allow dropping groups that aren't mapped in the user > >> namespace. > > > > I'm not saying that we can't change the behavior of whether or not a > > user can drop a group permission. I'm just saying that we need to do > > so consciously. The setgroups()/getgroups() ABI isn't part of > > POSIX/SuSv3 so we wouldn't be breaking POSIX compatibility, for those > > people who care about that. > > It may make sense to reach out to some place like oss-security. > > FWIW, I think we should ask, at the same time, about: > > - Dropping supplementary groups. > - Switching gid/egid/sgid to a supplementary group. > - Denying ptrace of a process with supplementary groups that the > tracer doesn't have. I wonder how crazy it would be to just require either CAP_SYS_PTRACE or cred1 == cred2 (as in, you have *exactly* the same credentials as the target)? > Also, I much prefer a sysctl to a boot option. Boot options are nasty > to configure in many distributions. Agreed. - Josh Triplett -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
