acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] man: Document pitfall with negative permissions and user


From: Christian Brauner
Subject: Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces
Date: Wed, 30 Aug 2023 10:19:35 +0200

On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the shadow project.
> ---
>  man/subgid.5.xml | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/man/subgid.5.xml b/man/subgid.5.xml
> index e473768d..8ed281e5 100644
> --- a/man/subgid.5.xml
> +++ b/man/subgid.5.xml
> @@ -55,6 +55,15 @@
>        <filename>/etc/subgid</filename> if subid delegation is managed via 
> subid
>        files.
>      </para>
> +    <para>
> +      Additionally, it's worth noting that the utilization of subordinate 
> group
> +      IDs can affect the enforcement of negative permissions. User can drop 
> their
> +      supplementary groups and bypass certain negative permissions.
> +      For more details see
> +      <citerefentry>
> +     <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
> +      </citerefentry>.
> +    </para>
>    </refsect1>

Looks good to me (content),
Acked-by: Christian Brauner <brauner@kernel.org>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]