[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 3/3] man: Document pitfall with negative permissions and user
From: |
Christian Brauner |
Subject: |
Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces |
Date: |
Wed, 30 Aug 2023 10:19:35 +0200 |
On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the shadow project.
> ---
> man/subgid.5.xml | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/man/subgid.5.xml b/man/subgid.5.xml
> index e473768d..8ed281e5 100644
> --- a/man/subgid.5.xml
> +++ b/man/subgid.5.xml
> @@ -55,6 +55,15 @@
> <filename>/etc/subgid</filename> if subid delegation is managed via
> subid
> files.
> </para>
> + <para>
> + Additionally, it's worth noting that the utilization of subordinate
> group
> + IDs can affect the enforcement of negative permissions. User can drop
> their
> + supplementary groups and bypass certain negative permissions.
> + For more details see
> + <citerefentry>
> + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
> + </citerefentry>.
> + </para>
> </refsect1>
Looks good to me (content),
Acked-by: Christian Brauner <brauner@kernel.org>
[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29
- Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces,
Christian Brauner <=