I'm sending out this patch series to document the current situation regarding negative permissions and user namespaces. >From what I understand, the general agreement is that negative permissions are not recommended and should be avoided. This is why the ability to somewhat bypass these permissions using user namespaces is tolerated, as it's deemed not worth the complexity to address this without breaking exsting programs such as podman. To be clear, the current way of bypassing negative permissions, whether DAC or ACL, isn't a result of a kernel flaw. The kernel issue related to this was resolved with CVE-2014-8989. Currently, certain privileged helpers like newuidmap allow regular users to create user namespaces with subordinate user and group ID mappings. This allows users to effectively drop their extra group memberships. I recently stumbled upon this behavior while looking into how rootless containers work. In conversations with the maintainers of the shadow package, I learned that this behavior is both known and intended. So, let's make sure to document it as well. Thanks, //richard -- 2.26.2
