acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 3/3] man: Document pitfall with negative permissions and user nam


From: Richard Weinberger
Subject: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces
Date: Tue, 29 Aug 2023 22:58:33 +0200

It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the shadow project.
---
 man/subgid.5.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index e473768d..8ed281e5 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -55,6 +55,15 @@
       <filename>/etc/subgid</filename> if subid delegation is managed via subid
       files.
     </para>
+    <para>
+      Additionally, it's worth noting that the utilization of subordinate group
+      IDs can affect the enforcement of negative permissions. User can drop 
their
+      supplementary groups and bypass certain negative permissions.
+      For more details see
+      <citerefentry>
+       <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
+      </citerefentry>.
+    </para>
   </refsect1>
 
   <refsect1 id='local-subordinate-delegation'>
-- 
2.35.3




reply via email to

[Prev in Thread] Current Thread [Next in Thread]