[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/3] man: Document pitfall with negative permissions and user
From: |
Christian Brauner |
Subject: |
Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces |
Date: |
Wed, 30 Aug 2023 10:19:04 +0200 |
On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the acl software project.
> ---
> man/man5/acl.5 | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/man/man5/acl.5 b/man/man5/acl.5
> index 0db86b325617..2ed144742e37 100644
> --- a/man/man5/acl.5
> +++ b/man/man5/acl.5
> @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux
> systems.
> .Xr acl_from_mode 3 ,
> .Xr acl_get_perm 3 ,
> .Xr acl_to_any_text 3
> +.Sh NOTES
> +.Ss Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +ACLs, such an approach is widely regarded as a suboptimal practice.
> +Furthermore, the utilization of Linux user namespaces introduces the
> +potential to circumvent specific negative permissions. This issue stems
> +from the fact that privileged helpers, such as
> +.Xr newuidmap 1 ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +For more details, please refer to the
> +.Xr user_namespaces 7
> +documentation.
> .Sh AUTHOR
> Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>
Looks good to me,
Acked-by: Christian Brauner <brauner@kernel.org>