acl-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] man: Document pitfall with negative permissions and user

From: Christian Brauner
Subject: Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces
Date: Wed, 30 Aug 2023 10:19:04 +0200 
On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the acl software project.
> ---
>  man/man5/acl.5 | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/man/man5/acl.5 b/man/man5/acl.5
> index 0db86b325617..2ed144742e37 100644
> --- a/man/man5/acl.5
> +++ b/man/man5/acl.5
> @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux 
> systems.
>  .Xr acl_from_mode 3 ,
>  .Xr acl_get_perm 3 ,
>  .Xr acl_to_any_text 3
> +.Sh NOTES
> +.Ss Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +ACLs, such an approach is widely regarded as a suboptimal practice.
> +Furthermore, the utilization of Linux user namespaces introduces the
> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.Xr newuidmap 1 ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +For more details, please refer to the
> +.Xr user_namespaces 7
> +documentation.
>  .Sh AUTHOR
>  Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>

Looks good to me,
Acked-by: Christian Brauner <brauner@kernel.org>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]