* [PATCH 0/3] Document impact of user namespaces and negative permissions
@ 2023-08-29 20:58 Richard Weinberger
2023-08-29 20:58 ` [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Richard Weinberger
` (3 more replies)
0 siblings, 4 replies; 16+ messages in thread
From: Richard Weinberger @ 2023-08-29 20:58 UTC (permalink / raw)
To: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher
Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm,
Richard Weinberger
I'm sending out this patch series to document the current situation regarding
negative permissions and user namespaces.
From what I understand, the general agreement is that negative permissions
are not recommended and should be avoided. This is why the ability to somewhat
bypass these permissions using user namespaces is tolerated, as it's deemed
not worth the complexity to address this without breaking exsting programs such
as podman.
To be clear, the current way of bypassing negative permissions, whether DAC or
ACL, isn't a result of a kernel flaw. The kernel issue related to this was
resolved with CVE-2014-8989. Currently, certain privileged helpers like
newuidmap allow regular users to create user namespaces with subordinate user
and group ID mappings.
This allows users to effectively drop their extra group memberships.
I recently stumbled upon this behavior while looking into how rootless containers
work. In conversations with the maintainers of the shadow package, I learned that
this behavior is both known and intended.
So, let's make sure to document it as well.
Thanks,
//richard
--
2.26.2
^ permalink raw reply [flat|nested] 16+ messages in thread* [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 [PATCH 0/3] Document impact of user namespaces and negative permissions Richard Weinberger @ 2023-08-29 20:58 ` Richard Weinberger 2023-08-30 8:19 ` Christian Brauner 2023-08-29 20:58 ` [PATCH 2/3] user_namespaces.7: " Richard Weinberger ` (2 subsequent siblings) 3 siblings, 1 reply; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 20:58 UTC (permalink / raw) To: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm, Richard Weinberger It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the acl software project. --- man/man5/acl.5 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/man/man5/acl.5 b/man/man5/acl.5 index 0db86b325617..2ed144742e37 100644 --- a/man/man5/acl.5 +++ b/man/man5/acl.5 @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. .Xr acl_from_mode 3 , .Xr acl_get_perm 3 , .Xr acl_to_any_text 3 +.Sh NOTES +.Ss Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +ACLs, such an approach is widely regarded as a suboptimal practice. +Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.Xr newuidmap 1 , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. +For more details, please refer to the +.Xr user_namespaces 7 +documentation. .Sh AUTHOR Andreas Gruenbacher, <andreas.gruenbacher@gmail.com> -- 2.26.2 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 ` [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Richard Weinberger @ 2023-08-30 8:19 ` Christian Brauner 0 siblings, 0 replies; 16+ messages in thread From: Christian Brauner @ 2023-08-30 8:19 UTC (permalink / raw) To: Richard Weinberger Cc: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm On Tue, Aug 29, 2023 at 10:58:31PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the acl software project. > --- > man/man5/acl.5 | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/man/man5/acl.5 b/man/man5/acl.5 > index 0db86b325617..2ed144742e37 100644 > --- a/man/man5/acl.5 > +++ b/man/man5/acl.5 > @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. > .Xr acl_from_mode 3 , > .Xr acl_get_perm 3 , > .Xr acl_to_any_text 3 > +.Sh NOTES > +.Ss Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +ACLs, such an approach is widely regarded as a suboptimal practice. > +Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.Xr newuidmap 1 , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. > +For more details, please refer to the > +.Xr user_namespaces 7 > +documentation. > .Sh AUTHOR > Andreas Gruenbacher, <andreas.gruenbacher@gmail.com> Looks good to me, Acked-by: Christian Brauner <brauner@kernel.org> ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 [PATCH 0/3] Document impact of user namespaces and negative permissions Richard Weinberger 2023-08-29 20:58 ` [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Richard Weinberger @ 2023-08-29 20:58 ` Richard Weinberger 2023-08-29 21:32 ` Alejandro Colomar 2023-08-30 8:18 ` Christian Brauner 2023-08-29 20:58 ` [PATCH 3/3] man: " Richard Weinberger 2023-08-29 21:26 ` [PATCH 0/3] Document impact of user namespaces and negative permissions Alejandro Colomar 3 siblings, 2 replies; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 20:58 UTC (permalink / raw) To: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm, Richard Weinberger It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the Linux man-pages project. --- man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index a65854d737cf..4927e194bcdc 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems Linux 3.12 added support for the last of the unsupported major filesystems, .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 XFS. +.SS Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +DAC or ACL settings, such an approach is widely regarded as a suboptimal +practice. Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.BR newuidmap (1) , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. + +Example: +.in +4n +.EX +$ \fBid\fP +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP +uid=0(root) gid=0(root) groups=0(root) +.EE +.in + +User rw got rid of it's supplementary groups and can now access files that +have been protected using negative permissions that match groups such as \fBnogames\fP. +Please note that the +.BR unshare (1) +tool uses internally +.BR newuidmap (1) . + .\" .SH EXAMPLES The program below is designed to allow experimenting with -- 2.26.2 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 ` [PATCH 2/3] user_namespaces.7: " Richard Weinberger @ 2023-08-29 21:32 ` Alejandro Colomar 2023-08-29 21:38 ` Alejandro Colomar ` (2 more replies) 2023-08-30 8:18 ` Christian Brauner 1 sibling, 3 replies; 16+ messages in thread From: Alejandro Colomar @ 2023-08-29 21:32 UTC (permalink / raw) To: Richard Weinberger, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 3498 bytes --] Hi Richard, On 2023-08-29 22:58, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the Linux man-pages project. > --- > man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index a65854d737cf..4927e194bcdc 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems > Linux 3.12 added support for the last of the unsupported major filesystems, > .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 > XFS. > +.SS Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through Please use semantic newlines. $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' Use semantic newlines In the source of a manual page, new sentences should be started on new lines, long sentences should be split into lines at clause breaks (commas, semicolons, colons, and so on), and long clauses should be split at phrase boundaries. This convention, sometimes known as "semantic newlines", makes it easier to see the effect of patches, which often operate at the level of individual sen‐ tences, clauses, or phrases. > +DAC or ACL settings, such an approach is widely regarded as a suboptimal > +practice. Furthermore, the utilization of Linux user namespaces introduces the Two spaces after period, if at all. But note that semantic newlines preclude that possibility. > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.BR newuidmap (1) , Thas second space is spurious. > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. > + Use .PP instead of blanks. > +Example: > +.in +4n > +.EX > +$ \fBid\fP > +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) > +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP > +uid=0(root) gid=0(root) groups=0(root) This example is not working: $ echo bar > foo $ sudo chmod g= foo $ sudo chown man foo $ ls -l foo -rw----r-- 1 man alx 4 Aug 29 23:28 foo $ cat foo cat: foo: Permission denied $ id uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id unshare: failed to execute ‐S: No such file or directory > +.EE > +.in > + > +User rw got rid of it's supplementary groups and can now access files that > +have been protected using negative permissions that match groups such as \fBnogames\fP. > +Please note that the > +.BR unshare (1) > +tool uses internally > +.BR newuidmap (1) . > + Cheers, Alex > .\" > .SH EXAMPLES > The program below is designed to allow experimenting with -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 21:32 ` Alejandro Colomar @ 2023-08-29 21:38 ` Alejandro Colomar 2023-08-29 21:40 ` Richard Weinberger 2023-08-29 21:39 ` Richard Weinberger 2023-08-30 9:26 ` Alejandro Colomar 2 siblings, 1 reply; 16+ messages in thread From: Alejandro Colomar @ 2023-08-29 21:38 UTC (permalink / raw) To: Richard Weinberger, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 3764 bytes --] On 2023-08-29 23:32, Alejandro Colomar wrote: > Hi Richard, > > On 2023-08-29 22:58, Richard Weinberger wrote: >> It is little known that user namespaces and some helpers >> can be used to bypass negative permissions. >> >> Signed-off-by: Richard Weinberger <richard@nod.at> >> --- >> This patch applies to the Linux man-pages project. >> --- >> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a65854d737cf..4927e194bcdc 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems >> Linux 3.12 added support for the last of the unsupported major filesystems, >> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 >> XFS. >> +.SS Negative permissions and Linux user namespaces >> +While it is technically feasible to establish negative permissions through > > Please use semantic newlines. > > $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' > Use semantic newlines > In the source of a manual page, new sentences should be started > on new lines, long sentences should be split into lines at clause > breaks (commas, semicolons, colons, and so on), and long clauses > should be split at phrase boundaries. This convention, sometimes > known as "semantic newlines", makes it easier to see the effect > of patches, which often operate at the level of individual sen‐ > tences, clauses, or phrases. > >> +DAC or ACL settings, such an approach is widely regarded as a suboptimal >> +practice. Furthermore, the utilization of Linux user namespaces introduces the > > Two spaces after period, if at all. But note that semantic newlines > preclude that possibility. > >> +potential to circumvent specific negative permissions. This issue stems >> +from the fact that privileged helpers, such as >> +.BR newuidmap (1) , > > Thas second space is spurious. > >> +enable unprivileged users to create user namespaces with subordinate user and >> +group IDs. As a consequence, users can drop group memberships, resulting >> +in a situation where negative permissions based on group membership no longer >> +apply. >> + > > Use .PP instead of blanks. > >> +Example: >> +.in +4n >> +.EX >> +$ \fBid\fP >> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) >> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP >> +uid=0(root) gid=0(root) groups=0(root) > > This example is not working: > > $ echo bar > foo > $ sudo chmod g= foo > $ sudo chown man foo > $ ls -l foo > -rw----r-- 1 man alx 4 Aug 29 23:28 foo > $ cat foo > cat: foo: Permission denied > $ id > uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory Ahh, now I see it. You should use \- to produce pastable ASCII 0x2D. > > >> +.EE >> +.in >> + >> +User rw got rid of it's supplementary groups and can now access files that >> +have been protected using negative permissions that match groups such as \fBnogames\fP. >> +Please note that the >> +.BR unshare (1) >> +tool uses internally >> +.BR newuidmap (1) . >> + > > Cheers, > Alex > >> .\" >> .SH EXAMPLES >> The program below is designed to allow experimenting with > -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 21:38 ` Alejandro Colomar @ 2023-08-29 21:40 ` Richard Weinberger 0 siblings, 0 replies; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 21:40 UTC (permalink / raw) To: Alejandro Colomar Cc: Serge E. Hallyn, christian, ipedrosa, gscrivan, Andreas Grünbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm ----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" <alx@kernel.org> >> uid=1000(alx) gid=1000(alx) >> groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) >> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id >> unshare: failed to execute ‐S: No such file or directory > > Ahh, now I see it. You should use \- to produce pastable ASCII 0x2D. Sorry for that. My troff fu is weak. :-) Thanks, //richard ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 21:32 ` Alejandro Colomar 2023-08-29 21:38 ` Alejandro Colomar @ 2023-08-29 21:39 ` Richard Weinberger 2023-08-29 21:40 ` Alejandro Colomar 2023-08-30 9:26 ` Alejandro Colomar 2 siblings, 1 reply; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 21:39 UTC (permalink / raw) To: Alejandro Colomar Cc: Serge E. Hallyn, christian, ipedrosa, gscrivan, Andreas Grünbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm ----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" <alx@kernel.org> > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory Well, maybe your unshare tool is too old. AFAIK it uses newuidmap only in recent versions. You can achieve the very same als using podman in rootless mode. e.g. podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt" Thanks, //richard ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 21:39 ` Richard Weinberger @ 2023-08-29 21:40 ` Alejandro Colomar 0 siblings, 0 replies; 16+ messages in thread From: Alejandro Colomar @ 2023-08-29 21:40 UTC (permalink / raw) To: Richard Weinberger Cc: Serge E. Hallyn, christian, ipedrosa, gscrivan, Andreas Grünbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 804 bytes --] On 2023-08-29 23:39, Richard Weinberger wrote: > ----- Ursprüngliche Mail ----- >> Von: "Alejandro Colomar" <alx@kernel.org> >> $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id >> unshare: failed to execute ‐S: No such file or directory > > Well, maybe your unshare tool is too old. > AFAIK it uses newuidmap only in recent versions. I'm on Debian Sid. That's quite unlikely :p (Although Debian Sid still runs make-4.3, so it wouldn't be crazy). > > You can achieve the very same als using podman in rootless mode. > e.g. > podman run -it -v /scratch:/scratch/ bash -c "cat /scratch/games/game.txt" > > Thanks, > //richard -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 21:32 ` Alejandro Colomar 2023-08-29 21:38 ` Alejandro Colomar 2023-08-29 21:39 ` Richard Weinberger @ 2023-08-30 9:26 ` Alejandro Colomar 2 siblings, 0 replies; 16+ messages in thread From: Alejandro Colomar @ 2023-08-30 9:26 UTC (permalink / raw) To: Richard Weinberger, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 3965 bytes --] Hi, On 2023-08-29 23:32, Alejandro Colomar wrote: > Hi Richard, > > On 2023-08-29 22:58, Richard Weinberger wrote: >> It is little known that user namespaces and some helpers >> can be used to bypass negative permissions. >> >> Signed-off-by: Richard Weinberger <richard@nod.at> >> --- >> This patch applies to the Linux man-pages project. >> --- >> man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ >> 1 file changed, 29 insertions(+) >> >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a65854d737cf..4927e194bcdc 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems >> Linux 3.12 added support for the last of the unsupported major filesystems, >> .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 >> XFS. >> +.SS Negative permissions and Linux user namespaces >> +While it is technically feasible to establish negative permissions through > > Please use semantic newlines. > > $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p' > Use semantic newlines > In the source of a manual page, new sentences should be started > on new lines, long sentences should be split into lines at clause > breaks (commas, semicolons, colons, and so on), and long clauses > should be split at phrase boundaries. This convention, sometimes > known as "semantic newlines", makes it easier to see the effect > of patches, which often operate at the level of individual sen‐ > tences, clauses, or phrases. > >> +DAC or ACL settings, such an approach is widely regarded as a suboptimal >> +practice. Furthermore, the utilization of Linux user namespaces introduces the > > Two spaces after period, if at all. But note that semantic newlines > preclude that possibility. I should clarify that this is not a matter of style. Software will behave incorrectly if you don't double-space after a period. In shadow, I see that there's only one space after period in all of the pages. I'll send a patch to fix that. Cheers, Alex > >> +potential to circumvent specific negative permissions. This issue stems >> +from the fact that privileged helpers, such as >> +.BR newuidmap (1) , > > Thas second space is spurious. > >> +enable unprivileged users to create user namespaces with subordinate user and >> +group IDs. As a consequence, users can drop group memberships, resulting >> +in a situation where negative permissions based on group membership no longer >> +apply. >> + > > Use .PP instead of blanks. > >> +Example: >> +.in +4n >> +.EX >> +$ \fBid\fP >> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) >> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP >> +uid=0(root) gid=0(root) groups=0(root) > > This example is not working: > > $ echo bar > foo > $ sudo chmod g= foo > $ sudo chown man foo > $ ls -l foo > -rw----r-- 1 man alx 4 Aug 29 23:28 foo > $ cat foo > cat: foo: Permission denied > $ id > uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner) > $ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id > unshare: failed to execute ‐S: No such file or directory > > >> +.EE >> +.in >> + >> +User rw got rid of it's supplementary groups and can now access files that >> +have been protected using negative permissions that match groups such as \fBnogames\fP. >> +Please note that the >> +.BR unshare (1) >> +tool uses internally >> +.BR newuidmap (1) . >> + > > Cheers, > Alex > >> .\" >> .SH EXAMPLES >> The program below is designed to allow experimenting with > -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 ` [PATCH 2/3] user_namespaces.7: " Richard Weinberger 2023-08-29 21:32 ` Alejandro Colomar @ 2023-08-30 8:18 ` Christian Brauner 1 sibling, 0 replies; 16+ messages in thread From: Christian Brauner @ 2023-08-30 8:18 UTC (permalink / raw) To: Richard Weinberger Cc: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm On Tue, Aug 29, 2023 at 10:58:32PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the Linux man-pages project. > --- > man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index a65854d737cf..4927e194bcdc 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems > Linux 3.12 added support for the last of the unsupported major filesystems, > .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 > XFS. > +.SS Negative permissions and Linux user namespaces > +While it is technically feasible to establish negative permissions through > +DAC or ACL settings, such an approach is widely regarded as a suboptimal > +practice. Furthermore, the utilization of Linux user namespaces introduces the > +potential to circumvent specific negative permissions. This issue stems > +from the fact that privileged helpers, such as > +.BR newuidmap (1) , > +enable unprivileged users to create user namespaces with subordinate user and > +group IDs. As a consequence, users can drop group memberships, resulting > +in a situation where negative permissions based on group membership no longer > +apply. For the content, Acked-by: Christian Brauner <brauner@kernel.org> ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 [PATCH 0/3] Document impact of user namespaces and negative permissions Richard Weinberger 2023-08-29 20:58 ` [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Richard Weinberger 2023-08-29 20:58 ` [PATCH 2/3] user_namespaces.7: " Richard Weinberger @ 2023-08-29 20:58 ` Richard Weinberger 2023-08-30 8:19 ` Christian Brauner 2023-08-29 21:26 ` [PATCH 0/3] Document impact of user namespaces and negative permissions Alejandro Colomar 3 siblings, 1 reply; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 20:58 UTC (permalink / raw) To: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm, Richard Weinberger It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the shadow project. --- man/subgid.5.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/man/subgid.5.xml b/man/subgid.5.xml index e473768d..8ed281e5 100644 --- a/man/subgid.5.xml +++ b/man/subgid.5.xml @@ -55,6 +55,15 @@ <filename>/etc/subgid</filename> if subid delegation is managed via subid files. </para> + <para> + Additionally, it's worth noting that the utilization of subordinate group + IDs can affect the enforcement of negative permissions. User can drop their + supplementary groups and bypass certain negative permissions. + For more details see + <citerefentry> + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> </refsect1> <refsect1 id='local-subordinate-delegation'> -- 2.35.3 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces 2023-08-29 20:58 ` [PATCH 3/3] man: " Richard Weinberger @ 2023-08-30 8:19 ` Christian Brauner 0 siblings, 0 replies; 16+ messages in thread From: Christian Brauner @ 2023-08-30 8:19 UTC (permalink / raw) To: Richard Weinberger Cc: alx, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the shadow project. > --- > man/subgid.5.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/man/subgid.5.xml b/man/subgid.5.xml > index e473768d..8ed281e5 100644 > --- a/man/subgid.5.xml > +++ b/man/subgid.5.xml > @@ -55,6 +55,15 @@ > <filename>/etc/subgid</filename> if subid delegation is managed via subid > files. > </para> > + <para> > + Additionally, it's worth noting that the utilization of subordinate group > + IDs can affect the enforcement of negative permissions. User can drop their > + supplementary groups and bypass certain negative permissions. > + For more details see > + <citerefentry> > + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum> > + </citerefentry>. > + </para> > </refsect1> Looks good to me (content), Acked-by: Christian Brauner <brauner@kernel.org> ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 0/3] Document impact of user namespaces and negative permissions 2023-08-29 20:58 [PATCH 0/3] Document impact of user namespaces and negative permissions Richard Weinberger ` (2 preceding siblings ...) 2023-08-29 20:58 ` [PATCH 3/3] man: " Richard Weinberger @ 2023-08-29 21:26 ` Alejandro Colomar 2023-08-29 21:32 ` Richard Weinberger 3 siblings, 1 reply; 16+ messages in thread From: Alejandro Colomar @ 2023-08-29 21:26 UTC (permalink / raw) To: Richard Weinberger, serge, christian, ipedrosa, gscrivan, andreas.gruenbacher Cc: acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 1767 bytes --] Hello Richard, On 2023-08-29 22:58, Richard Weinberger wrote: > I'm sending out this patch series to document the current situation regarding > negative permissions and user namespaces. > > From what I understand, the general agreement is that negative permissions > are not recommended and should be avoided. This is why the ability to somewhat > bypass these permissions using user namespaces is tolerated, as it's deemed > not worth the complexity to address this without breaking exsting programs such > as podman. > > To be clear, the current way of bypassing negative permissions, whether DAC or > ACL, isn't a result of a kernel flaw. The kernel issue related to this was > resolved with CVE-2014-8989. Currently, certain privileged helpers like > newuidmap allow regular users to create user namespaces with subordinate user > and group ID mappings. > This allows users to effectively drop their extra group memberships. > > I recently stumbled upon this behavior while looking into how rootless containers > work. In conversations with the maintainers of the shadow package, I learned that > this behavior is both known and intended. > So, let's make sure to document it as well. Can you please provide a small shell session where this is exemplified? I.e., please show how a user (or group member) can read a file with u= (or g= ) permissions on the file. I.e., what can you do from here?: $ echo bar > foo $ ls -l foo -rw-r--r-- 1 alx alx 4 Aug 29 23:24 foo $ chmod u= foo $ sudo chmod g= foo $ ls -l foo -------r-- 1 alx alx 4 Aug 29 23:24 foo $ cat foo cat: foo: Permission denied Cheers, Alex -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 0/3] Document impact of user namespaces and negative permissions 2023-08-29 21:26 ` [PATCH 0/3] Document impact of user namespaces and negative permissions Alejandro Colomar @ 2023-08-29 21:32 ` Richard Weinberger 2023-09-13 14:35 ` Alejandro Colomar 0 siblings, 1 reply; 16+ messages in thread From: Richard Weinberger @ 2023-08-29 21:32 UTC (permalink / raw) To: Alejandro Colomar Cc: Serge E. Hallyn, christian, ipedrosa, gscrivan, Andreas Grünbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm ----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" <alx@kernel.org> > Can you please provide a small shell session where this is exemplified? Sure. I sent the following to the shadow maintainers privately on Friday, but since the issue is already known for years I don't hesitate to share. # On a Debian Bookworm # So far no entries are installed. $ cat /etc/subuid # useradd automatically does so. $ useradd -m rw $ cat /etc/subuid rw:100000:65536 # Let's create a folder where the group "nogames" has no permissions. $ mkdir /games $ echo win > /games/game.txt $ groupadd nogames $ chown -R root:nogames /games $ chmod 705 /games # User "rw" must not play games $ usermod -G nogames rw # Works as expected rw@localhost:~$ id uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) rw@localhost:~$ cat /games/game.txt cat: /games/game.txt: Permission denied # By using unshare (which utilizes the newuidmap helper) we can get rid of the "nogames" group. rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id uid=0(root) gid=0(root) groups=0(root) rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 cat /games/game.txt win Thanks, //richard ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 0/3] Document impact of user namespaces and negative permissions 2023-08-29 21:32 ` Richard Weinberger @ 2023-09-13 14:35 ` Alejandro Colomar 0 siblings, 0 replies; 16+ messages in thread From: Alejandro Colomar @ 2023-09-13 14:35 UTC (permalink / raw) To: Richard Weinberger Cc: Serge E. Hallyn, christian, ipedrosa, gscrivan, Andreas Grünbacher, acl-devel, linux-man, linux-api, linux-fsdevel, ebiederm [-- Attachment #1.1: Type: text/plain, Size: 1640 bytes --] Hi Richard, On 2023-08-29 23:32, Richard Weinberger wrote: > ----- Ursprüngliche Mail ----- >> Von: "Alejandro Colomar" <alx@kernel.org> >> Can you please provide a small shell session where this is exemplified? > > Sure. I sent the following to the shadow maintainers privately on Friday, > but since the issue is already known for years I don't hesitate to share. > > # On a Debian Bookworm > # So far no entries are installed. > $ cat /etc/subuid > > # useradd automatically does so. > $ useradd -m rw > $ cat /etc/subuid > rw:100000:65536 > > # Let's create a folder where the group "nogames" has no permissions. > $ mkdir /games > $ echo win > /games/game.txt > $ groupadd nogames > $ chown -R root:nogames /games > $ chmod 705 /games > > # User "rw" must not play games > $ usermod -G nogames rw > > # Works as expected > rw@localhost:~$ id > uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) > rw@localhost:~$ cat /games/game.txt > cat: /games/game.txt: Permission denied > > # By using unshare (which utilizes the newuidmap helper) we can get rid of the "nogames" group. > rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id > uid=0(root) gid=0(root) groups=0(root) > > rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 cat /games/game.txt > win > > Thanks, > //richard Thanks! Please include this in the commit message (at least for the Linux man-pages one). Cheers, Alex -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-09-13 14:35 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-08-29 20:58 [PATCH 0/3] Document impact of user namespaces and negative permissions Richard Weinberger 2023-08-29 20:58 ` [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Richard Weinberger 2023-08-30 8:19 ` Christian Brauner 2023-08-29 20:58 ` [PATCH 2/3] user_namespaces.7: " Richard Weinberger 2023-08-29 21:32 ` Alejandro Colomar 2023-08-29 21:38 ` Alejandro Colomar 2023-08-29 21:40 ` Richard Weinberger 2023-08-29 21:39 ` Richard Weinberger 2023-08-29 21:40 ` Alejandro Colomar 2023-08-30 9:26 ` Alejandro Colomar 2023-08-30 8:18 ` Christian Brauner 2023-08-29 20:58 ` [PATCH 3/3] man: " Richard Weinberger 2023-08-30 8:19 ` Christian Brauner 2023-08-29 21:26 ` [PATCH 0/3] Document impact of user namespaces and negative permissions Alejandro Colomar 2023-08-29 21:32 ` Richard Weinberger 2023-09-13 14:35 ` Alejandro Colomar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).