Hi Richard,
On 2023-08-29 22:58, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
>
> Signed-off-by: Richard Weinberger <richard@xxxxxx>
> ---
> This patch applies to the Linux man-pages project.
> ---
> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
> 1 file changed, 29 insertions(+)
>
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
> Linux 3.12 added support for the last of the unsupported major filesystems,
> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
> XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
Please use semantic newlines.
$ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
Use semantic newlines
In the source of a manual page, new sentences should be started
on new lines, long sentences should be split into lines at clause
breaks (commas, semicolons, colons, and so on), and long clauses
should be split at phrase boundaries. This convention, sometimes
known as "semantic newlines", makes it easier to see the effect
of patches, which often operate at the level of individual sen‐
tences, clauses, or phrases.
> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces the
Two spaces after period, if at all. But note that semantic newlines
preclude that possibility.
> +potential to circumvent specific negative permissions. This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,
Thas second space is spurious.
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +
Use .PP instead of blanks.
> +Example:
> +.in +4n
> +.EX
> +$ \fBid\fP
> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
> +uid=0(root) gid=0(root) groups=0(root)
This example is not working:
$ echo bar > foo
$ sudo chmod g= foo
$ sudo chown man foo
$ ls -l foo
-rw----r-- 1 man alx 4 Aug 29 23:28 foo
$ cat foo
cat: foo: Permission denied
$ id
uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
$ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
unshare: failed to execute ‐S: No such file or directory
> +.EE
> +.in
> +
> +User rw got rid of it's supplementary groups and can now access files that
> +have been protected using negative permissions that match groups such as \fBnogames\fP.
> +Please note that the
> +.BR unshare (1)
> +tool uses internally
> +.BR newuidmap (1) .
> +
Cheers,
Alex
> .\"
> .SH EXAMPLES
> The program below is designed to allow experimenting with
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
