On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > This patch applies to the shadow project. > --- > man/subgid.5.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/man/subgid.5.xml b/man/subgid.5.xml > index e473768d..8ed281e5 100644 > --- a/man/subgid.5.xml > +++ b/man/subgid.5.xml > @@ -55,6 +55,15 @@ > <filename>/etc/subgid</filename> if subid delegation is managed via subid > files. > </para> > + <para> > + Additionally, it's worth noting that the utilization of subordinate group > + IDs can affect the enforcement of negative permissions. User can drop their > + supplementary groups and bypass certain negative permissions. > + For more details see > + <citerefentry> > + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum> > + </citerefentry>. > + </para> > </refsect1> Looks good to me (content), Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
