On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > This patch applies to the acl software project. > --- > man/man5/acl.5 | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/man/man5/acl.5 b/man/man5/acl.5 > index 0db86b325617..2ed144742e37 100644 > --- a/man/man5/acl.5 > +++ b/man/man5/acl.5 > @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. > .Xr acl_from_mode 3 , > .Xr acl_get_perm 3 , > .Xr acl_to_any_text 3 > +.Sh NOTES > +.Ss Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +ACLs, such an approach is widely regarded as a suboptimal practice. > +Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.Xr newuidmap 1 , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. > +For more details, please refer to the > +.Xr user_namespaces 7 > +documentation. > .Sh AUTHOR > Andreas Gruenbacher, <andreas.gruenbacher@xxxxxxxxx> Looks good to me, Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
