| Message ID | 20230829205833.14873-2-richard@nod.at (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Document impact of user namespaces and negative permissions | expand |
On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the acl software project. > --- > man/man5/acl.5 | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/man/man5/acl.5 b/man/man5/acl.5 > index 0db86b325617..2ed144742e37 100644 > --- a/man/man5/acl.5 > +++ b/man/man5/acl.5 > @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. > .Xr acl_from_mode 3 , > .Xr acl_get_perm 3 , > .Xr acl_to_any_text 3 > +.Sh NOTES > +.Ss Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +ACLs, such an approach is widely regarded as a suboptimal practice. > +Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.Xr newuidmap 1 , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. > +For more details, please refer to the > +.Xr user_namespaces 7 > +documentation. > .Sh AUTHOR > Andreas Gruenbacher, <andreas.gruenbacher@gmail.com> Looks good to me, Acked-by: Christian Brauner <brauner@kernel.org>
diff --git a/man/man5/acl.5 b/man/man5/acl.5 index 0db86b325617..2ed144742e37 100644 --- a/man/man5/acl.5 +++ b/man/man5/acl.5 @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. .Xr acl_from_mode 3 , .Xr acl_get_perm 3 , .Xr acl_to_any_text 3 +.Sh NOTES +.Ss Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +ACLs, such an approach is widely regarded as a suboptimal practice. +Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.Xr newuidmap 1 , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. +For more details, please refer to the +.Xr user_namespaces 7 +documentation. .Sh AUTHOR Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>
It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the acl software project. --- man/man5/acl.5 | 15 +++++++++++++++ 1 file changed, 15 insertions(+)