[PATCH 0/3] Document impact of user namespaces and negative permissions

[PATCH 0/3] Document impact of user namespaces and negative permissions

[Richard Weinberger]

I'm sending out this patch series to document the current situation regarding
negative permissions and user namespaces.

From what I understand, the general agreement is that negative permissions
are not recommended and should be avoided. This is why the ability to somewhat
bypass these permissions using user namespaces is tolerated, as it's deemed
not worth the complexity to address this without breaking exsting programs such
as podman.

To be clear, the current way of bypassing negative permissions, whether DAC or
ACL, isn't a result of a kernel flaw. The kernel issue related to this was
resolved with CVE-2014-8989. Currently, certain privileged helpers like
newuidmap allow regular users to create user namespaces with subordinate user
and group ID mappings.
This allows users to effectively drop their extra group memberships.

I recently stumbled upon this behavior while looking into how rootless containers
work. In conversations with the maintainers of the shadow package, I learned that
this behavior is both known and intended.
So, let's make sure to document it as well.

Thanks,
//richard

-- 
2.26.2

[PATCH 1/3] man: Document pitfall with negative permissions and user namespaces

[Richard Weinberger]

It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the acl software project.
---
 man/man5/acl.5 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/man/man5/acl.5 b/man/man5/acl.5
index 0db86b325617..2ed144742e37 100644
--- a/man/man5/acl.5
+++ b/man/man5/acl.5
@@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems.
 .Xr acl_from_mode 3 ,
 .Xr acl_get_perm 3 ,
 .Xr acl_to_any_text 3
+.Sh NOTES
+.Ss Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+ACLs, such an approach is widely regarded as a suboptimal practice.
+Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.Xr newuidmap 1 ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+For more details, please refer to the
+.Xr user_namespaces 7
+documentation.
 .Sh AUTHOR
 Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>
-- 
2.26.2

[PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Richard Weinberger]

It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the Linux man-pages project.
---
 man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index a65854d737cf..4927e194bcdc 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
 Linux 3.12 added support for the last of the unsupported major filesystems,
 .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
 XFS.
+.SS Negative permissions and Linux user namespaces
+While it is technically feasible to establish negative permissions through
+DAC or ACL settings, such an approach is widely regarded as a suboptimal
+practice. Furthermore, the utilization of Linux user namespaces introduces the
+potential to circumvent specific negative permissions.  This issue stems
+from the fact that privileged helpers, such as
+.BR newuidmap (1) ,
+enable unprivileged users to create user namespaces with subordinate user and
+group IDs. As a consequence, users can drop group memberships, resulting
+in a situation where negative permissions based on group membership no longer
+apply.
+
+Example:
+.in +4n
+.EX
+$ \fBid\fP
+uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
+$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
+uid=0(root) gid=0(root) groups=0(root)
+.EE
+.in
+
+User rw got rid of it's supplementary groups and can now access files that
+have been protected using negative permissions that match groups such as \fBnogames\fP.
+Please note that the
+.BR unshare (1)
+tool uses internally
+.BR newuidmap (1) .
+
 .\"
 .SH EXAMPLES
 The program below is designed to allow experimenting with
-- 
2.26.2

[PATCH 3/3] man: Document pitfall with negative permissions and user namespaces

[Richard Weinberger]

It is little known that user namespaces and some helpers
can be used to bypass negative permissions.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
This patch applies to the shadow project.
---
 man/subgid.5.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/man/subgid.5.xml b/man/subgid.5.xml
index e473768d..8ed281e5 100644
--- a/man/subgid.5.xml
+++ b/man/subgid.5.xml
@@ -55,6 +55,15 @@
       <filename>/etc/subgid</filename> if subid delegation is managed via subid
       files.
     </para>
+    <para>
+      Additionally, it's worth noting that the utilization of subordinate group
+      IDs can affect the enforcement of negative permissions. User can drop their
+      supplementary groups and bypass certain negative permissions.
+      For more details see
+      <citerefentry>
+	<refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
+      </citerefentry>.
+    </para>
   </refsect1>
 
   <refsect1 id='local-subordinate-delegation'>
-- 
2.35.3

Re: [PATCH 0/3] Document impact of user namespaces and negative permissions

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 1767 bytes --]

Hello Richard,

On 2023-08-29 22:58, Richard Weinberger wrote:
> I'm sending out this patch series to document the current situation regarding
> negative permissions and user namespaces.
> 
> From what I understand, the general agreement is that negative permissions
> are not recommended and should be avoided. This is why the ability to somewhat
> bypass these permissions using user namespaces is tolerated, as it's deemed
> not worth the complexity to address this without breaking exsting programs such
> as podman.
> 
> To be clear, the current way of bypassing negative permissions, whether DAC or
> ACL, isn't a result of a kernel flaw. The kernel issue related to this was
> resolved with CVE-2014-8989. Currently, certain privileged helpers like
> newuidmap allow regular users to create user namespaces with subordinate user
> and group ID mappings.
> This allows users to effectively drop their extra group memberships.
> 
> I recently stumbled upon this behavior while looking into how rootless containers
> work. In conversations with the maintainers of the shadow package, I learned that
> this behavior is both known and intended.
> So, let's make sure to document it as well.

Can you please provide a small shell session where this is exemplified?
I.e., please show how a user (or group member) can read a file with
u= (or g= ) permissions on the file.

I.e., what can you do from here?:

$ echo bar > foo
$ ls -l foo
-rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo
$ chmod u= foo
$ sudo chmod g= foo
$ ls -l foo
-------r-- 1 alx alx 4 Aug 29 23:24 foo
$ cat foo
cat: foo: Permission denied


Cheers,
Alex

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 0/3] Document impact of user namespaces and negative permissions

[Richard Weinberger]

----- Ursprüngliche Mail -----
> Von: "Alejandro Colomar" <alx@kernel.org>
> Can you please provide a small shell session where this is exemplified?

Sure. I sent the following to the shadow maintainers privately on Friday,
but since the issue is already known for years I don't hesitate to share.

# On a Debian Bookworm
# So far no entries are installed.
$ cat /etc/subuid

# useradd automatically does so.
$ useradd -m rw
$ cat /etc/subuid
rw:100000:65536

# Let's create a folder where the group "nogames" has no permissions.
$ mkdir /games
$ echo win > /games/game.txt
$ groupadd nogames
$ chown -R root:nogames /games
$ chmod 705 /games

# User "rw" must not play games
$ usermod -G nogames rw

# Works as expected
rw@localhost:~$ id
uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
rw@localhost:~$ cat /games/game.txt
cat: /games/game.txt: Permission denied

# By using unshare (which utilizes the newuidmap helper) we can get rid of the "nogames" group.
rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id
uid=0(root) gid=0(root) groups=0(root)

rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 cat /games/game.txt
win

Thanks,
//richard

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 3498 bytes --]

Hi Richard,

On 2023-08-29 22:58, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the Linux man-pages project.
> ---
>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>  Linux 3.12 added support for the last of the unsupported major filesystems,
>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>  XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through

Please use semantic newlines.

$ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
   Use semantic newlines
     In the source of a manual page, new sentences should  be  started
     on new lines, long sentences should be split into lines at clause
     breaks  (commas, semicolons, colons, and so on), and long clauses
     should be split at phrase boundaries.  This convention, sometimes
     known as "semantic newlines", makes it easier to see  the  effect
     of  patches,  which often operate at the level of individual sen‐
     tences, clauses, or phrases.

> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces the

Two spaces after period, if at all.  But note that semantic newlines
preclude that possibility.

> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,

Thas second space is spurious.

> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +

Use .PP instead of blanks.

> +Example:
> +.in +4n
> +.EX
> +$ \fBid\fP
> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
> +uid=0(root) gid=0(root) groups=0(root)

This example is not working:

$ echo bar > foo
$ sudo chmod g= foo
$ sudo chown man foo
$ ls -l foo
-rw----r-- 1 man alx 4 Aug 29 23:28 foo
$ cat foo 
cat: foo: Permission denied
$ id
uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
$ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
unshare: failed to execute ‐S: No such file or directory


> +.EE
> +.in
> +
> +User rw got rid of it's supplementary groups and can now access files that
> +have been protected using negative permissions that match groups such as \fBnogames\fP.
> +Please note that the
> +.BR unshare (1)
> +tool uses internally
> +.BR newuidmap (1) .
> +

Cheers,
Alex

>  .\"
>  .SH EXAMPLES
>  The program below is designed to allow experimenting with

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 3764 bytes --]

On 2023-08-29 23:32, Alejandro Colomar wrote:
> Hi Richard,
> 
> On 2023-08-29 22:58, Richard Weinberger wrote:
>> It is little known that user namespaces and some helpers
>> can be used to bypass negative permissions.
>>
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> ---
>> This patch applies to the Linux man-pages project.
>> ---
>>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>>  1 file changed, 29 insertions(+)
>>
>> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
>> index a65854d737cf..4927e194bcdc 100644
>> --- a/man7/user_namespaces.7
>> +++ b/man7/user_namespaces.7
>> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>>  Linux 3.12 added support for the last of the unsupported major filesystems,
>>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>>  XFS.
>> +.SS Negative permissions and Linux user namespaces
>> +While it is technically feasible to establish negative permissions through
> 
> Please use semantic newlines.
> 
> $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
>    Use semantic newlines
>      In the source of a manual page, new sentences should  be  started
>      on new lines, long sentences should be split into lines at clause
>      breaks  (commas, semicolons, colons, and so on), and long clauses
>      should be split at phrase boundaries.  This convention, sometimes
>      known as "semantic newlines", makes it easier to see  the  effect
>      of  patches,  which often operate at the level of individual sen‐
>      tences, clauses, or phrases.
> 
>> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
>> +practice. Furthermore, the utilization of Linux user namespaces introduces the
> 
> Two spaces after period, if at all.  But note that semantic newlines
> preclude that possibility.
> 
>> +potential to circumvent specific negative permissions.  This issue stems
>> +from the fact that privileged helpers, such as
>> +.BR newuidmap (1) ,
> 
> Thas second space is spurious.
> 
>> +enable unprivileged users to create user namespaces with subordinate user and
>> +group IDs. As a consequence, users can drop group memberships, resulting
>> +in a situation where negative permissions based on group membership no longer
>> +apply.
>> +
> 
> Use .PP instead of blanks.
> 
>> +Example:
>> +.in +4n
>> +.EX
>> +$ \fBid\fP
>> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
>> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
>> +uid=0(root) gid=0(root) groups=0(root)
> 
> This example is not working:
> 
> $ echo bar > foo
> $ sudo chmod g= foo
> $ sudo chown man foo
> $ ls -l foo
> -rw----r-- 1 man alx 4 Aug 29 23:28 foo
> $ cat foo 
> cat: foo: Permission denied
> $ id
> uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
> unshare: failed to execute ‐S: No such file or directory

Ahh, now I see it.  You should use \- to produce pastable ASCII 0x2D.

> 
> 
>> +.EE
>> +.in
>> +
>> +User rw got rid of it's supplementary groups and can now access files that
>> +have been protected using negative permissions that match groups such as \fBnogames\fP.
>> +Please note that the
>> +.BR unshare (1)
>> +tool uses internally
>> +.BR newuidmap (1) .
>> +
> 
> Cheers,
> Alex
> 
>>  .\"
>>  .SH EXAMPLES
>>  The program below is designed to allow experimenting with
> 

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Richard Weinberger]

----- Ursprüngliche Mail -----
> Von: "Alejandro Colomar" <alx@kernel.org>
> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
> unshare: failed to execute ‐S: No such file or directory

Well, maybe your unshare tool is too old.
AFAIK it uses newuidmap only in recent versions.

You can achieve the very same als using podman in rootless mode.
e.g.
podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt"

Thanks,
//richard

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Richard Weinberger]

----- Ursprüngliche Mail -----
> Von: "Alejandro Colomar" <alx@kernel.org>
>> uid=1000(alx) gid=1000(alx)
>> groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
>> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
>> unshare: failed to execute ‐S: No such file or directory
> 
> Ahh, now I see it.  You should use \- to produce pastable ASCII 0x2D.

Sorry for that. My troff fu is weak. :-)

Thanks,
//richard

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 804 bytes --]

On 2023-08-29 23:39, Richard Weinberger wrote:
> ----- Ursprüngliche Mail -----
>> Von: "Alejandro Colomar" <alx@kernel.org>
>> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
>> unshare: failed to execute ‐S: No such file or directory
> 
> Well, maybe your unshare tool is too old.
> AFAIK it uses newuidmap only in recent versions.

I'm on Debian Sid.  That's quite unlikely :p
(Although Debian Sid still runs make-4.3, so it wouldn't be crazy).

> 
> You can achieve the very same als using podman in rootless mode.
> e.g.
> podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt"
> 
> Thanks,
> //richard

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Christian Brauner]

On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the Linux man-pages project.
> ---
>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>  Linux 3.12 added support for the last of the unsupported major filesystems,
>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>  XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces the
> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.

For the content,
Acked-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces

[Christian Brauner]

On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the acl software project.
> ---
>  man/man5/acl.5 | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/man/man5/acl.5 b/man/man5/acl.5
> index 0db86b325617..2ed144742e37 100644
> --- a/man/man5/acl.5
> +++ b/man/man5/acl.5
> @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems.
>  .Xr acl_from_mode 3 ,
>  .Xr acl_get_perm 3 ,
>  .Xr acl_to_any_text 3
> +.Sh NOTES
> +.Ss Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through
> +ACLs, such an approach is widely regarded as a suboptimal practice.
> +Furthermore, the utilization of Linux user namespaces introduces the
> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.Xr newuidmap 1 ,
> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +For more details, please refer to the
> +.Xr user_namespaces 7
> +documentation.
>  .Sh AUTHOR
>  Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>

Looks good to me,
Acked-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces

[Christian Brauner]

On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the shadow project.
> ---
>  man/subgid.5.xml | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/man/subgid.5.xml b/man/subgid.5.xml
> index e473768d..8ed281e5 100644
> --- a/man/subgid.5.xml
> +++ b/man/subgid.5.xml
> @@ -55,6 +55,15 @@
>        <filename>/etc/subgid</filename> if subid delegation is managed via subid
>        files.
>      </para>
> +    <para>
> +      Additionally, it's worth noting that the utilization of subordinate group
> +      IDs can affect the enforcement of negative permissions. User can drop their
> +      supplementary groups and bypass certain negative permissions.
> +      For more details see
> +      <citerefentry>
> +	<refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum>
> +      </citerefentry>.
> +    </para>
>    </refsect1>

Looks good to me (content),
Acked-by: Christian Brauner <brauner@kernel.org>

Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 3965 bytes --]

Hi,

On 2023-08-29 23:32, Alejandro Colomar wrote:
> Hi Richard,
> 
> On 2023-08-29 22:58, Richard Weinberger wrote:
>> It is little known that user namespaces and some helpers
>> can be used to bypass negative permissions.
>>
>> Signed-off-by: Richard Weinberger <richard@nod.at>
>> ---
>> This patch applies to the Linux man-pages project.
>> ---
>>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>>  1 file changed, 29 insertions(+)
>>
>> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
>> index a65854d737cf..4927e194bcdc 100644
>> --- a/man7/user_namespaces.7
>> +++ b/man7/user_namespaces.7
>> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>>  Linux 3.12 added support for the last of the unsupported major filesystems,
>>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>>  XFS.
>> +.SS Negative permissions and Linux user namespaces
>> +While it is technically feasible to establish negative permissions through
> 
> Please use semantic newlines.
> 
> $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
>    Use semantic newlines
>      In the source of a manual page, new sentences should  be  started
>      on new lines, long sentences should be split into lines at clause
>      breaks  (commas, semicolons, colons, and so on), and long clauses
>      should be split at phrase boundaries.  This convention, sometimes
>      known as "semantic newlines", makes it easier to see  the  effect
>      of  patches,  which often operate at the level of individual sen‐
>      tences, clauses, or phrases.
> 
>> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
>> +practice. Furthermore, the utilization of Linux user namespaces introduces the
> 
> Two spaces after period, if at all.  But note that semantic newlines
> preclude that possibility.

I should clarify that this is not a matter of style.  Software will
behave incorrectly if you don't double-space after a period.

In shadow, I see that there's only one space after period in all of
the pages.  I'll send a patch to fix that.

Cheers,
Alex


> 
>> +potential to circumvent specific negative permissions.  This issue stems
>> +from the fact that privileged helpers, such as
>> +.BR newuidmap (1) ,
> 
> Thas second space is spurious.
> 
>> +enable unprivileged users to create user namespaces with subordinate user and
>> +group IDs. As a consequence, users can drop group memberships, resulting
>> +in a situation where negative permissions based on group membership no longer
>> +apply.
>> +
> 
> Use .PP instead of blanks.
> 
>> +Example:
>> +.in +4n
>> +.EX
>> +$ \fBid\fP
>> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
>> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
>> +uid=0(root) gid=0(root) groups=0(root)
> 
> This example is not working:
> 
> $ echo bar > foo
> $ sudo chmod g= foo
> $ sudo chown man foo
> $ ls -l foo
> -rw----r-- 1 man alx 4 Aug 29 23:28 foo
> $ cat foo 
> cat: foo: Permission denied
> $ id
> uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
> unshare: failed to execute ‐S: No such file or directory
> 
> 
>> +.EE
>> +.in
>> +
>> +User rw got rid of it's supplementary groups and can now access files that
>> +have been protected using negative permissions that match groups such as \fBnogames\fP.
>> +Please note that the
>> +.BR unshare (1)
>> +tool uses internally
>> +.BR newuidmap (1) .
>> +
> 
> Cheers,
> Alex
> 
>>  .\"
>>  .SH EXAMPLES
>>  The program below is designed to allow experimenting with
> 

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 0/3] Document impact of user namespaces and negative permissions

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 1640 bytes --]

Hi Richard,

On 2023-08-29 23:32, Richard Weinberger wrote:
> ----- Ursprüngliche Mail -----
>> Von: "Alejandro Colomar" <alx@kernel.org>
>> Can you please provide a small shell session where this is exemplified?
> 
> Sure. I sent the following to the shadow maintainers privately on Friday,
> but since the issue is already known for years I don't hesitate to share.
> 
> # On a Debian Bookworm
> # So far no entries are installed.
> $ cat /etc/subuid
> 
> # useradd automatically does so.
> $ useradd -m rw
> $ cat /etc/subuid
> rw:100000:65536
> 
> # Let's create a folder where the group "nogames" has no permissions.
> $ mkdir /games
> $ echo win > /games/game.txt
> $ groupadd nogames
> $ chown -R root:nogames /games
> $ chmod 705 /games
> 
> # User "rw" must not play games
> $ usermod -G nogames rw
> 
> # Works as expected
> rw@localhost:~$ id
> uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
> rw@localhost:~$ cat /games/game.txt
> cat: /games/game.txt: Permission denied
> 
> # By using unshare (which utilizes the newuidmap helper) we can get rid of the "nogames" group.
> rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id
> uid=0(root) gid=0(root) groups=0(root)
> 
> rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 cat /games/game.txt
> win
> 
> Thanks,
> //richard

Thanks!

Please include this in the commit message (at least for the Linux man-pages
one).

Cheers,
Alex

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]