[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] Document impact of user namespaces and negative permissi
From: |
Alejandro Colomar |
Subject: |
Re: [PATCH 0/3] Document impact of user namespaces and negative permissions |
Date: |
Tue, 29 Aug 2023 23:26:12 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.1 |
Hello Richard,
On 2023-08-29 22:58, Richard Weinberger wrote:
> I'm sending out this patch series to document the current situation regarding
> negative permissions and user namespaces.
>
> From what I understand, the general agreement is that negative permissions
> are not recommended and should be avoided. This is why the ability to somewhat
> bypass these permissions using user namespaces is tolerated, as it's deemed
> not worth the complexity to address this without breaking exsting programs
> such
> as podman.
>
> To be clear, the current way of bypassing negative permissions, whether DAC or
> ACL, isn't a result of a kernel flaw. The kernel issue related to this was
> resolved with CVE-2014-8989. Currently, certain privileged helpers like
> newuidmap allow regular users to create user namespaces with subordinate user
> and group ID mappings.
> This allows users to effectively drop their extra group memberships.
>
> I recently stumbled upon this behavior while looking into how rootless
> containers
> work. In conversations with the maintainers of the shadow package, I learned
> that
> this behavior is both known and intended.
> So, let's make sure to document it as well.
Can you please provide a small shell session where this is exemplified?
I.e., please show how a user (or group member) can read a file with
u= (or g= ) permissions on the file.
I.e., what can you do from here?:
$ echo bar > foo
$ ls -l foo
-rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo
$ chmod u= foo
$ sudo chmod g= foo
$ ls -l foo
-------r-- 1 alx alx 4 Aug 29 23:24 foo
$ cat foo
cat: foo: Permission denied
Cheers,
Alex
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
OpenPGP_signature
Description: OpenPGP digital signature
[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29