Hi, On 2023-08-29 23:32, Alejandro Colomar wrote: > Hi Richard, > > On 2023-08-29 22:58, Richard Weinberger wrote: >> It is little known that user namespaces and some helpers >> can be used to bypass negative permissions. >> >> Signed-off-by: Richard Weinberger <richard@xxxxxx> >> --- >> This patch applies to the Linux man-pages project. >> --- >> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a65854d737cf..4927e194bcdc 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems >> Linux 3.12 added support for the last of the unsupported major filesystems, >> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 >> XFS. >> +.SS Negative permissions and Linux user namespaces >> +While it is technically feasible to establish negative permissions through > > Please use semantic newlines. > > $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' > Use semantic newlines > In the source of a manual page, new sentences should be started > on new lines, long sentences should be split into lines at clause > breaks (commas, semicolons, colons, and so on), and long clauses > should be split at phrase boundaries. This convention, sometimes > known as "semantic newlines", makes it easier to see the effect > of patches, which often operate at the level of individual sen‐ > tences, clauses, or phrases. > >> +DAC or ACL settings, such an approach is widely regarded as a suboptimal >> +practice. Furthermore, the utilization of Linux user namespaces introduces the > > Two spaces after period, if at all. But note that semantic newlines > preclude that possibility. I should clarify that this is not a matter of style. Software will behave incorrectly if you don't double-space after a period. In shadow, I see that there's only one space after period in all of the pages. I'll send a patch to fix that. Cheers, Alex > >> +potential to circumvent specific negative permissions. This issue stems >> +from the fact that privileged helpers, such as >> +.BR newuidmap (1) , > > Thas second space is spurious. > >> +enable unprivileged users to create user namespaces with subordinate user and >> +group IDs. As a consequence, users can drop group memberships, resulting >> +in a situation where negative permissions based on group membership no longer >> +apply. >> + > > Use .PP instead of blanks. > >> +Example: >> +.in +4n >> +.EX >> +$ \fBid\fP >> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) >> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP >> +uid=0(root) gid=0(root) groups=0(root) > > This example is not working: > > $ echo bar > foo > $ sudo chmod g= foo > $ sudo chown man foo > $ ls -l foo > -rw----r-- 1 man alx 4 Aug 29 23:28 foo > $ cat foo > cat: foo: Permission denied > $ id > uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory > > >> +.EE >> +.in >> + >> +User rw got rid of it's supplementary groups and can now access files that >> +have been protected using negative permissions that match groups such as \fBnogames\fP. >> +Please note that the >> +.BR unshare (1) >> +tool uses internally >> +.BR newuidmap (1) . >> + > > Cheers, > Alex > >> .\" >> .SH EXAMPLES >> The program below is designed to allow experimenting with > -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
