acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/3] Document impact of user namespaces and negative permissi


From: Alejandro Colomar
Subject: Re: [PATCH 0/3] Document impact of user namespaces and negative permissions
Date: Tue, 29 Aug 2023 23:26:12 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.1

Hello Richard,

On 2023-08-29 22:58, Richard Weinberger wrote:
> I'm sending out this patch series to document the current situation regarding
> negative permissions and user namespaces.
> 
> From what I understand, the general agreement is that negative permissions
> are not recommended and should be avoided. This is why the ability to somewhat
> bypass these permissions using user namespaces is tolerated, as it's deemed
> not worth the complexity to address this without breaking exsting programs 
> such
> as podman.
> 
> To be clear, the current way of bypassing negative permissions, whether DAC or
> ACL, isn't a result of a kernel flaw. The kernel issue related to this was
> resolved with CVE-2014-8989. Currently, certain privileged helpers like
> newuidmap allow regular users to create user namespaces with subordinate user
> and group ID mappings.
> This allows users to effectively drop their extra group memberships.
> 
> I recently stumbled upon this behavior while looking into how rootless 
> containers
> work. In conversations with the maintainers of the shadow package, I learned 
> that
> this behavior is both known and intended.
> So, let's make sure to document it as well.

Can you please provide a small shell session where this is exemplified?
I.e., please show how a user (or group member) can read a file with
u= (or g= ) permissions on the file.

I.e., what can you do from here?:

$ echo bar > foo
$ ls -l foo
-rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo
$ chmod u= foo
$ sudo chmod g= foo
$ ls -l foo
-------r-- 1 alx alx 4 Aug 29 23:24 foo
$ cat foo
cat: foo: Permission denied


Cheers,
Alex

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]