[PATCH 1/3] man: Document pitfall with negative permissions and user namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@xxxxxx>
This patch applies to the acl software project.
 man/man5/acl.5 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/man/man5/acl.5 b/man/man5/acl.5
index 0db86b325617..2ed144742e37 100644
--- a/man/man5/acl.5
+++ b/man/man5/acl.5
@@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems.
 .Xr acl_from_mode 3 ,
 .Xr acl_get_perm 3 ,
 .Xr acl_to_any_text 3
+.Ss Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+ACLs, such an approach is widely regarded as a suboptimal practice.
+Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.Xr newuidmap 1 ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+For more details, please refer to the
+.Xr user_namespaces 7
 Andreas Gruenbacher, <andreas.gruenbacher@xxxxxxxxx>

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux