It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@xxxxxx> --- This patch applies to the Linux man-pages project. --- man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index a65854d737cf..4927e194bcdc 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems Linux 3.12 added support for the last of the unsupported major filesystems, .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 XFS. +.SS Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +DAC or ACL settings, such an approach is widely regarded as a suboptimal +practice. Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.BR newuidmap (1) , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. + +Example: +.in +4n +.EX +$ \fBid\fP +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP +uid=0(root) gid=0(root) groups=0(root) +.EE +.in + +User rw got rid of it's supplementary groups and can now access files that +have been protected using negative permissions that match groups such as \fBnogames\fP. +Please note that the +.BR unshare (1) +tool uses internally +.BR newuidmap (1) . + .\" .SH EXAMPLES The program below is designed to allow experimenting with -- 2.26.2
