On Sat, Nov 15, 2014 at 11:29 AM, Josh Triplett <josh@xxxxxxxxxxxxxxxx> wrote: > On Sat, Nov 15, 2014 at 09:37:27AM -0600, Eric W. Biederman wrote: >> Josh Triplett <josh@xxxxxxxxxxxxxxxx> writes: >> >> > Currently, unprivileged processes (without CAP_SETGID) cannot call >> > setgroups at all. In particular, processes with a set of supplementary >> > groups cannot further drop permissions without obtaining elevated >> > permissions first. >> > >> > Allow unprivileged processes to call setgroups with a subset of their >> > current groups; only require CAP_SETGID to add a group the process does >> > not currently have. >> >> A couple of questions. >> - Is there precedence in other unix flavors for this? > > I found a few references to now-nonexistent pages at MIT about a system > with this property, but other than that no. > > I've also found more than a few references to people wanting this > functionality. > >> - What motiviates this change? > > I have a series of patches planned to add more ways to drop elevated > privileges without requiring a transition through root to do so. That > would improve the ability for unprivileged users to run programs > sandboxed with even *less* privileges. (Among other things, that would > also allow programs running with no_new_privs to further *reduce* their > privileges, which they can't currently do in this case.) > >> - Have you looked to see if anything might for bug compatibilty >> require applications not to be able to drop supplementary groups? > > I haven't found any such case; that doesn't mean such a case does not > exist. Feedback welcome. > > The only case I can think of (and I don't know of any examples of such a > system): some kind of quota system that limits the members of a group to > a certain amount of storage, but places no such limit on non-members. > > However, the idea of *holding* a credential (a supplementary group ID) > giving *less* privileges, and *dropping* a credential giving *more* > privileges, would completely invert normal security models. (The sane > way to design such a system would be to have a privileged group for > "users who can exceed the quota".) Agreed. And, if you want to bypass quotas by dropping a supplementary group, you already can by unsharing your user namespace. However, sudoers seems to allow negative group matches. So maybe allowing this only with no_new_privs already set would make sense. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
