[PATCH 0/3] Document impact of user namespaces and negative permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I'm sending out this patch series to document the current situation regarding
negative permissions and user namespaces.

>From what I understand, the general agreement is that negative permissions
are not recommended and should be avoided. This is why the ability to somewhat
bypass these permissions using user namespaces is tolerated, as it's deemed
not worth the complexity to address this without breaking exsting programs such
as podman.

To be clear, the current way of bypassing negative permissions, whether DAC or
ACL, isn't a result of a kernel flaw. The kernel issue related to this was
resolved with CVE-2014-8989. Currently, certain privileged helpers like
newuidmap allow regular users to create user namespaces with subordinate user
and group ID mappings.
This allows users to effectively drop their extra group memberships.

I recently stumbled upon this behavior while looking into how rootless containers
work. In conversations with the maintainers of the shadow package, I learned that
this behavior is both known and intended.
So, let's make sure to document it as well.



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux