It is little known that user namespaces and some helpers
can be used to bypass negative permissions.
Signed-off-by: Richard Weinberger <richard@xxxxxx>
---
This patch applies to the shadow project.
---
man/subgid.5.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index e473768d..8ed281e5 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -55,6 +55,15 @@
<filename>/etc/subgid</filename> if subid delegation is managed via subid
files.
</para>
+ <para>
+ Additionally, it's worth noting that the utilization of subordinate group
+ IDs can affect the enforcement of negative permissions. User can drop their
+ supplementary groups and bypass certain negative permissions.
+ For more details see
+ <citerefentry>
+ <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
</refsect1>
<refsect1 id='local-subordinate-delegation'>
--
2.35.3
