On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > This patch applies to the Linux man-pages project. > --- > man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index a65854d737cf..4927e194bcdc 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems > Linux 3.12 added support for the last of the unsupported major filesystems, > .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 > XFS. > +.SS Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +DAC or ACL settings, such an approach is widely regarded as a suboptimal > +practice. Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.BR newuidmap (1) , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. For the content, Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
