| Message ID | 20230829205833.14873-3-richard@nod.at (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Document impact of user namespaces and negative permissions | expand |
Hi Richard, On 2023-08-29 22:58, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the Linux man-pages project. > --- > man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index a65854d737cf..4927e194bcdc 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems > Linux 3.12 added support for the last of the unsupported major filesystems, > .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 > XFS. > +.SS Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through Please use semantic newlines. $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' Use semantic newlines In the source of a manual page, new sentences should be started on new lines, long sentences should be split into lines at clause breaks (commas, semicolons, colons, and so on), and long clauses should be split at phrase boundaries. This convention, sometimes known as "semantic newlines", makes it easier to see the effect of patches, which often operate at the level of individual sen‐ tences, clauses, or phrases. > +DAC or ACL settings, such an approach is widely regarded as a suboptimal > +practice. Furthermore, the utilization of Linux user namespaces introduces the Two spaces after period, if at all. But note that semantic newlines preclude that possibility. > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.BR newuidmap (1) , Thas second space is spurious. > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. > + Use .PP instead of blanks. > +Example: > +.in +4n > +.EX > +$ \fBid\fP > +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) > +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP > +uid=0(root) gid=0(root) groups=0(root) This example is not working: $ echo bar > foo $ sudo chmod g= foo $ sudo chown man foo $ ls -l foo -rw----r-- 1 man alx 4 Aug 29 23:28 foo $ cat foo cat: foo: Permission denied $ id uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id unshare: failed to execute ‐S: No such file or directory > +.EE > +.in > + > +User rw got rid of it's supplementary groups and can now access files that > +have been protected using negative permissions that match groups such as \fBnogames\fP. > +Please note that the > +.BR unshare (1) > +tool uses internally > +.BR newuidmap (1) . > + Cheers, Alex > .\" > .SH EXAMPLES > The program below is designed to allow experimenting with
On 2023-08-29 23:32, Alejandro Colomar wrote: > Hi Richard, > > On 2023-08-29 22:58, Richard Weinberger wrote: >> It is little known that user namespaces and some helpers >> can be used to bypass negative permissions. >> >> Signed-off-by: Richard Weinberger <richard@nod.at> >> --- >> This patch applies to the Linux man-pages project. >> --- >> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a65854d737cf..4927e194bcdc 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems >> Linux 3.12 added support for the last of the unsupported major filesystems, >> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 >> XFS. >> +.SS Negative permissions and Linux user namespaces >> +While it is technically feasible to establish negative permissions through > > Please use semantic newlines. > > $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' > Use semantic newlines > In the source of a manual page, new sentences should be started > on new lines, long sentences should be split into lines at clause > breaks (commas, semicolons, colons, and so on), and long clauses > should be split at phrase boundaries. This convention, sometimes > known as "semantic newlines", makes it easier to see the effect > of patches, which often operate at the level of individual sen‐ > tences, clauses, or phrases. > >> +DAC or ACL settings, such an approach is widely regarded as a suboptimal >> +practice. Furthermore, the utilization of Linux user namespaces introduces the > > Two spaces after period, if at all. But note that semantic newlines > preclude that possibility. > >> +potential to circumvent specific negative permissions. This issue stems >> +from the fact that privileged helpers, such as >> +.BR newuidmap (1) , > > Thas second space is spurious. > >> +enable unprivileged users to create user namespaces with subordinate user and >> +group IDs. As a consequence, users can drop group memberships, resulting >> +in a situation where negative permissions based on group membership no longer >> +apply. >> + > > Use .PP instead of blanks. > >> +Example: >> +.in +4n >> +.EX >> +$ \fBid\fP >> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) >> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP >> +uid=0(root) gid=0(root) groups=0(root) > > This example is not working: > > $ echo bar > foo > $ sudo chmod g= foo > $ sudo chown man foo > $ ls -l foo > -rw----r-- 1 man alx 4 Aug 29 23:28 foo > $ cat foo > cat: foo: Permission denied > $ id > uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory Ahh, now I see it. You should use \- to produce pastable ASCII 0x2D. > > >> +.EE >> +.in >> + >> +User rw got rid of it's supplementary groups and can now access files that >> +have been protected using negative permissions that match groups such as \fBnogames\fP. >> +Please note that the >> +.BR unshare (1) >> +tool uses internally >> +.BR newuidmap (1) . >> + > > Cheers, > Alex > >> .\" >> .SH EXAMPLES >> The program below is designed to allow experimenting with >
----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" <alx@kernel.org> > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory Well, maybe your unshare tool is too old. AFAIK it uses newuidmap only in recent versions. You can achieve the very same als using podman in rootless mode. e.g. podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt" Thanks, //richard
----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" <alx@kernel.org> >> uid=1000(alx) gid=1000(alx) >> groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) >> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id >> unshare: failed to execute ‐S: No such file or directory > > Ahh, now I see it. You should use \- to produce pastable ASCII 0x2D. Sorry for that. My troff fu is weak. :-) Thanks, //richard
On 2023-08-29 23:39, Richard Weinberger wrote: > ----- Ursprüngliche Mail ----- >> Von: "Alejandro Colomar" <alx@kernel.org> >> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id >> unshare: failed to execute ‐S: No such file or directory > > Well, maybe your unshare tool is too old. > AFAIK it uses newuidmap only in recent versions. I'm on Debian Sid. That's quite unlikely :p (Although Debian Sid still runs make-4.3, so it wouldn't be crazy). > > You can achieve the very same als using podman in rootless mode. > e.g. > podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt" > > Thanks, > //richard
On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the Linux man-pages project. > --- > man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index a65854d737cf..4927e194bcdc 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems > Linux 3.12 added support for the last of the unsupported major filesystems, > .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 > XFS. > +.SS Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +DAC or ACL settings, such an approach is widely regarded as a suboptimal > +practice. Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.BR newuidmap (1) , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. For the content, Acked-by: Christian Brauner <brauner@kernel.org>
Hi, On 2023-08-29 23:32, Alejandro Colomar wrote: > Hi Richard, > > On 2023-08-29 22:58, Richard Weinberger wrote: >> It is little known that user namespaces and some helpers >> can be used to bypass negative permissions. >> >> Signed-off-by: Richard Weinberger <richard@nod.at> >> --- >> This patch applies to the Linux man-pages project. >> --- >> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a65854d737cf..4927e194bcdc 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems >> Linux 3.12 added support for the last of the unsupported major filesystems, >> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 >> XFS. >> +.SS Negative permissions and Linux user namespaces >> +While it is technically feasible to establish negative permissions through > > Please use semantic newlines. > > $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' > Use semantic newlines > In the source of a manual page, new sentences should be started > on new lines, long sentences should be split into lines at clause > breaks (commas, semicolons, colons, and so on), and long clauses > should be split at phrase boundaries. This convention, sometimes > known as "semantic newlines", makes it easier to see the effect > of patches, which often operate at the level of individual sen‐ > tences, clauses, or phrases. > >> +DAC or ACL settings, such an approach is widely regarded as a suboptimal >> +practice. Furthermore, the utilization of Linux user namespaces introduces the > > Two spaces after period, if at all. But note that semantic newlines > preclude that possibility. I should clarify that this is not a matter of style. Software will behave incorrectly if you don't double-space after a period. In shadow, I see that there's only one space after period in all of the pages. I'll send a patch to fix that. Cheers, Alex > >> +potential to circumvent specific negative permissions. This issue stems >> +from the fact that privileged helpers, such as >> +.BR newuidmap (1) , > > Thas second space is spurious. > >> +enable unprivileged users to create user namespaces with subordinate user and >> +group IDs. As a consequence, users can drop group memberships, resulting >> +in a situation where negative permissions based on group membership no longer >> +apply. >> + > > Use .PP instead of blanks. > >> +Example: >> +.in +4n >> +.EX >> +$ \fBid\fP >> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) >> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP >> +uid=0(root) gid=0(root) groups=0(root) > > This example is not working: > > $ echo bar > foo > $ sudo chmod g= foo > $ sudo chown man foo > $ ls -l foo > -rw----r-- 1 man alx 4 Aug 29 23:28 foo > $ cat foo > cat: foo: Permission denied > $ id > uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory > > >> +.EE >> +.in >> + >> +User rw got rid of it's supplementary groups and can now access files that >> +have been protected using negative permissions that match groups such as \fBnogames\fP. >> +Please note that the >> +.BR unshare (1) >> +tool uses internally >> +.BR newuidmap (1) . >> + > > Cheers, > Alex > >> .\" >> .SH EXAMPLES >> The program below is designed to allow experimenting with >
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index a65854d737cf..4927e194bcdc 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems Linux 3.12 added support for the last of the unsupported major filesystems, .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 XFS. +.SS Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +DAC or ACL settings, such an approach is widely regarded as a suboptimal +practice. Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.BR newuidmap (1) , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. + +Example: +.in +4n +.EX +$ \fBid\fP +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP +uid=0(root) gid=0(root) groups=0(root) +.EE +.in + +User rw got rid of it's supplementary groups and can now access files that +have been protected using negative permissions that match groups such as \fBnogames\fP. +Please note that the +.BR unshare (1) +tool uses internally +.BR newuidmap (1) . + .\" .SH EXAMPLES The program below is designed to allow experimenting with
It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the Linux man-pages project. --- man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)