Hello Richard, On 2023-08-29 22:58, Richard Weinberger wrote: > I'm sending out this patch series to document the current situation regarding > negative permissions and user namespaces. > > From what I understand, the general agreement is that negative permissions > are not recommended and should be avoided. This is why the ability to somewhat > bypass these permissions using user namespaces is tolerated, as it's deemed > not worth the complexity to address this without breaking exsting programs such > as podman. > > To be clear, the current way of bypassing negative permissions, whether DAC or > ACL, isn't a result of a kernel flaw. The kernel issue related to this was > resolved with CVE-2014-8989. Currently, certain privileged helpers like > newuidmap allow regular users to create user namespaces with subordinate user > and group ID mappings. > This allows users to effectively drop their extra group memberships. > > I recently stumbled upon this behavior while looking into how rootless containers > work. In conversations with the maintainers of the shadow package, I learned that > this behavior is both known and intended. > So, let's make sure to document it as well. Can you please provide a small shell session where this is exemplified? I.e., please show how a user (or group member) can read a file with u= (or g= ) permissions on the file. I.e., what can you do from here?: $ echo bar > foo $ ls -l foo -rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo $ chmod u= foo $ sudo chmod g= foo $ ls -l foo -------r-- 1 alx alx 4 Aug 29 23:24 foo $ cat foo cat: foo: Permission denied Cheers, Alex -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
