[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 3/3] man: Document pitfall with negative permissions and user nam
|
From: |
Richard Weinberger |
|
Subject: |
[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces |
|
Date: |
Tue, 29 Aug 2023 22:58:33 +0200 |
It is little known that user namespaces and some helpers
can be used to bypass negative permissions.
Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the shadow project.
---
man/subgid.5.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index e473768d..8ed281e5 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -55,6 +55,15 @@
<filename>/etc/subgid</filename> if subid delegation is managed via subid
files.
</para>
+ <para>
+ Additionally, it's worth noting that the utilization of subordinate group
+ IDs can affect the enforcement of negative permissions. User can drop
their
+ supplementary groups and bypass certain negative permissions.
+ For more details see
+ <citerefentry>
+ <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
</refsect1>
<refsect1 id='local-subordinate-delegation'>
--
2.35.3
[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces,
Richard Weinberger <=