[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permis
From: |
Alejandro Colomar |
Subject: |
Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces |
Date: |
Wed, 30 Aug 2023 11:26:43 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.1 |
Hi,
On 2023-08-29 23:32, Alejandro Colomar wrote:
> Hi Richard,
>
> On 2023-08-29 22:58, Richard Weinberger wrote:
>> It is little known that user namespaces and some helpers
>> can be used to bypass negative permissions.
>>
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> ---
>> This patch applies to the Linux man-pages project.
>> ---
>> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>> 1 file changed, 29 insertions(+)
>>
>> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
>> index a65854d737cf..4927e194bcdc 100644
>> --- a/man7/user_namespaces.7
>> +++ b/man7/user_namespaces.7
>> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>> Linux 3.12 added support for the last of the unsupported major filesystems,
>> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>> XFS.
>> +.SS Negative permissions and Linux user namespaces
>> +While it is technically feasible to establish negative permissions through
>
> Please use semantic newlines.
>
> $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
> Use semantic newlines
> In the source of a manual page, new sentences should be started
> on new lines, long sentences should be split into lines at clause
> breaks (commas, semicolons, colons, and so on), and long clauses
> should be split at phrase boundaries. This convention, sometimes
> known as "semantic newlines", makes it easier to see the effect
> of patches, which often operate at the level of individual sen‐
> tences, clauses, or phrases.
>
>> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
>> +practice. Furthermore, the utilization of Linux user namespaces introduces
>> the
>
> Two spaces after period, if at all. But note that semantic newlines
> preclude that possibility.
I should clarify that this is not a matter of style. Software will
behave incorrectly if you don't double-space after a period.
In shadow, I see that there's only one space after period in all of
the pages. I'll send a patch to fix that.
Cheers,
Alex
>
>> +potential to circumvent specific negative permissions. This issue stems
>> +from the fact that privileged helpers, such as
>> +.BR newuidmap (1) ,
>
> Thas second space is spurious.
>
>> +enable unprivileged users to create user namespaces with subordinate user
>> and
>> +group IDs. As a consequence, users can drop group memberships, resulting
>> +in a situation where negative permissions based on group membership no
>> longer
>> +apply.
>> +
>
> Use .PP instead of blanks.
>
>> +Example:
>> +.in +4n
>> +.EX
>> +$ \fBid\fP
>> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
>> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536
>> --map-groups=100000,0,65536 id\fP
>> +uid=0(root) gid=0(root) groups=0(root)
>
> This example is not working:
>
> $ echo bar > foo
> $ sudo chmod g= foo
> $ sudo chown man foo
> $ ls -l foo
> -rw----r-- 1 man alx 4 Aug 29 23:28 foo
> $ cat foo
> cat: foo: Permission denied
> $ id
> uid=1000(alx) gid=1000(alx)
> groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
> unshare: failed to execute ‐S: No such file or directory
>
>
>> +.EE
>> +.in
>> +
>> +User rw got rid of it's supplementary groups and can now access files that
>> +have been protected using negative permissions that match groups such as
>> \fBnogames\fP.
>> +Please note that the
>> +.BR unshare (1)
>> +tool uses internally
>> +.BR newuidmap (1) .
>> +
>
> Cheers,
> Alex
>
>> .\"
>> .SH EXAMPLES
>> The program below is designed to allow experimenting with
>
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
OpenPGP_signature
Description: OpenPGP digital signature
[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces, Richard Weinberger, 2023/08/29