[PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@xxxxxx>
---
This patch applies to the Linux man-pages project.
---
 man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index a65854d737cf..4927e194bcdc 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
 Linux 3.12 added support for the last of the unsupported major filesystems,
 .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
 XFS.
+.SS Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+DAC or ACL settings, such an approach is widely regarded as a suboptimal
+practice. Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.BR newuidmap (1) ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+
+Example:
+.in +4n
+.EX
+$ \fBid\fP
+uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
+$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
+uid=0(root) gid=0(root) groups=0(root)
+.EE
+.in
+
+User rw got rid of it's supplementary groups and can now access files that
+have been protected using negative permissions that match groups such as \fBnogames\fP.
+Please note that the
+.BR unshare (1)
+tool uses internally
+.BR newuidmap (1) .
+
 .\"
 .SH EXAMPLES
 The program below is designed to allow experimenting with
-- 
2.26.2




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux