acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permis


From: Christian Brauner
Subject: Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces
Date: Wed, 30 Aug 2023 10:18:22 +0200

On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the Linux man-pages project.
> ---
>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>  Linux 3.12 added support for the last of the unsupported major filesystems,
>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>  XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces 
> the
> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.

For the content,
Acked-by: Christian Brauner <brauner@kernel.org>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]