[PATCH 0/3] Document impact of user namespaces and negative permissions

[Richard Weinberger]

I'm sending out this patch series to document the current situation regarding
negative permissions and user namespaces.

>From what I understand, the general agreement is that negative permissions
are not recommended and should be avoided. This is why the ability to somewhat
bypass these permissions using user namespaces is tolerated, as it's deemed
not worth the complexity to address this without breaking exsting programs such
as podman.

To be clear, the current way of bypassing negative permissions, whether DAC or
ACL, isn't a result of a kernel flaw. The kernel issue related to this was
resolved with CVE-2014-8989. Currently, certain privileged helpers like
newuidmap allow regular users to create user namespaces with subordinate user
and group ID mappings.
This allows users to effectively drop their extra group memberships.

I recently stumbled upon this behavior while looking into how rootless 
containers
work. In conversations with the maintainers of the shadow package, I learned 
that
this behavior is both known and intended.
So, let's make sure to document it as well.

Thanks,
//richard

-- 
2.26.2