Re: [PATCH 0/3] Document impact of user namespaces and negative permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hello Richard,

On 2023-08-29 22:58, Richard Weinberger wrote:
> I'm sending out this patch series to document the current situation regarding
> negative permissions and user namespaces.
> From what I understand, the general agreement is that negative permissions
> are not recommended and should be avoided. This is why the ability to somewhat
> bypass these permissions using user namespaces is tolerated, as it's deemed
> not worth the complexity to address this without breaking exsting programs such
> as podman.
> To be clear, the current way of bypassing negative permissions, whether DAC or
> ACL, isn't a result of a kernel flaw. The kernel issue related to this was
> resolved with CVE-2014-8989. Currently, certain privileged helpers like
> newuidmap allow regular users to create user namespaces with subordinate user
> and group ID mappings.
> This allows users to effectively drop their extra group memberships.
> I recently stumbled upon this behavior while looking into how rootless containers
> work. In conversations with the maintainers of the shadow package, I learned that
> this behavior is both known and intended.
> So, let's make sure to document it as well.

Can you please provide a small shell session where this is exemplified?
I.e., please show how a user (or group member) can read a file with
u= (or g= ) permissions on the file.

I.e., what can you do from here?:

$ echo bar > foo
$ ls -l foo
-rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo
$ chmod u= foo
$ sudo chmod g= foo
$ ls -l foo
-------r-- 1 alx alx 4 Aug 29 23:24 foo
$ cat foo
cat: foo: Permission denied


GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux