[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 1/3] man: Document pitfall with negative permissions and user nam
From: |
Richard Weinberger |
Subject: |
[PATCH 1/3] man: Document pitfall with negative permissions and user namespaces |
Date: |
Tue, 29 Aug 2023 22:58:31 +0200 |
It is little known that user namespaces and some helpers
can be used to bypass negative permissions.
Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the acl software project.
---
man/man5/acl.5 | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/man/man5/acl.5 b/man/man5/acl.5
index 0db86b325617..2ed144742e37 100644
--- a/man/man5/acl.5
+++ b/man/man5/acl.5
@@ -495,5 +495,20 @@ These non-portable extensions are available on Linux
systems.
.Xr acl_from_mode 3 ,
.Xr acl_get_perm 3 ,
.Xr acl_to_any_text 3
+.Sh NOTES
+.Ss Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+ACLs, such an approach is widely regarded as a suboptimal practice.
+Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions. This issue stems
+from the fact that privileged helpers, such as
+.Xr newuidmap 1 ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+For more details, please refer to the
+.Xr user_namespaces 7
+documentation.
.Sh AUTHOR
Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>
--
2.26.2