acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permis


From: Alejandro Colomar
Subject: Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces
Date: Tue, 29 Aug 2023 23:38:51 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.1

On 2023-08-29 23:32, Alejandro Colomar wrote:
> Hi Richard,
> 
> On 2023-08-29 22:58, Richard Weinberger wrote:
>> It is little known that user namespaces and some helpers
>> can be used to bypass negative permissions.
>>
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> ---
>> This patch applies to the Linux man-pages project.
>> ---
>>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>>  1 file changed, 29 insertions(+)
>>
>> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
>> index a65854d737cf..4927e194bcdc 100644
>> --- a/man7/user_namespaces.7
>> +++ b/man7/user_namespaces.7
>> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>>  Linux 3.12 added support for the last of the unsupported major filesystems,
>>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>>  XFS.
>> +.SS Negative permissions and Linux user namespaces
>> +While it is technically feasible to establish negative permissions through
> 
> Please use semantic newlines.
> 
> $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
>    Use semantic newlines
>      In the source of a manual page, new sentences should  be  started
>      on new lines, long sentences should be split into lines at clause
>      breaks  (commas, semicolons, colons, and so on), and long clauses
>      should be split at phrase boundaries.  This convention, sometimes
>      known as "semantic newlines", makes it easier to see  the  effect
>      of  patches,  which often operate at the level of individual sen‐
>      tences, clauses, or phrases.
> 
>> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
>> +practice. Furthermore, the utilization of Linux user namespaces introduces 
>> the
> 
> Two spaces after period, if at all.  But note that semantic newlines
> preclude that possibility.
> 
>> +potential to circumvent specific negative permissions.  This issue stems
>> +from the fact that privileged helpers, such as
>> +.BR newuidmap (1) ,
> 
> Thas second space is spurious.
> 
>> +enable unprivileged users to create user namespaces with subordinate user 
>> and
>> +group IDs. As a consequence, users can drop group memberships, resulting
>> +in a situation where negative permissions based on group membership no 
>> longer
>> +apply.
>> +
> 
> Use .PP instead of blanks.
> 
>> +Example:
>> +.in +4n
>> +.EX
>> +$ \fBid\fP
>> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
>> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 
>> --map-groups=100000,0,65536 id\fP
>> +uid=0(root) gid=0(root) groups=0(root)
> 
> This example is not working:
> 
> $ echo bar > foo
> $ sudo chmod g= foo
> $ sudo chown man foo
> $ ls -l foo
> -rw----r-- 1 man alx 4 Aug 29 23:28 foo
> $ cat foo 
> cat: foo: Permission denied
> $ id
> uid=1000(alx) gid=1000(alx) 
> groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
> unshare: failed to execute ‐S: No such file or directory

Ahh, now I see it.  You should use \- to produce pastable ASCII 0x2D.

> 
> 
>> +.EE
>> +.in
>> +
>> +User rw got rid of it's supplementary groups and can now access files that
>> +have been protected using negative permissions that match groups such as 
>> \fBnogames\fP.
>> +Please note that the
>> +.BR unshare (1)
>> +tool uses internally
>> +.BR newuidmap (1) .
>> +
> 
> Cheers,
> Alex
> 
>>  .\"
>>  .SH EXAMPLES
>>  The program below is designed to allow experimenting with
> 

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]