acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/3] man: Document pitfall with negative permissions and user nam


From: Richard Weinberger
Subject: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces
Date: Tue, 29 Aug 2023 22:58:31 +0200

It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the acl software project.
---
 man/man5/acl.5 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/man/man5/acl.5 b/man/man5/acl.5
index 0db86b325617..2ed144742e37 100644
--- a/man/man5/acl.5
+++ b/man/man5/acl.5
@@ -495,5 +495,20 @@ These non-portable extensions are available on Linux 
systems.
 .Xr acl_from_mode 3 ,
 .Xr acl_get_perm 3 ,
 .Xr acl_to_any_text 3
+.Sh NOTES
+.Ss Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+ACLs, such an approach is widely regarded as a suboptimal practice.
+Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.Xr newuidmap 1 ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+For more details, please refer to the
+.Xr user_namespaces 7
+documentation.
 .Sh AUTHOR
 Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>
-- 
2.26.2




reply via email to

[Prev in Thread] Current Thread [Next in Thread]