Issue in man page user_namespaces.7

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    Text missing? in order to drop → in order to drop privileges?

"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
"   \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
"   *unprivileged* users to employ user namespaces in order to drop\n"
"   The upshot of the 3.19 changes is that in order to update the\n"
"   \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
"   user namespace must first be disabled by writing \"deny\" to one of\n"
"   the /proc/PID/setgroups files for this namespace.  That is the\n"
"   purpose of the following function. */\n"

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 904 bytes --]



On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
> 
> Issue:    Text missing? in order to drop → in order to drop privileges?

 From what I read, I think it wanted to say "drop groups".

Fixed.  Thanks!

Cheers,

Alex

> 
> "/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
> "   \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
> "   *unprivileged* users to employ user namespaces in order to drop\n"
> "   The upshot of the 3.19 changes is that in order to update the\n"
> "   \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
> "   user namespace must first be disabled by writing \"deny\" to one of\n"
> "   the /proc/PID/setgroups files for this namespace.  That is the\n"
> "   purpose of the following function. */\n"

-- 
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 1842 bytes --]

Hi Helge,

On 3/12/23 06:06, Helge Kreutzmann wrote:
> Hello Alex,
> On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote:
>> Hi Helge,
>>
>> On 3/11/23 18:13, Helge Kreutzmann wrote:
>>> Without further ado, the following was found:
>>>
>>> Issue:    /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
>>
>> I don't find this.  Please report with more context.
> 
>        Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the
>        parent user namespace.
> 
>    The /proc/pid/setgroups file
>        The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted
>        in that user namespace.  Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set.
> 
>> Cheers,
>>
>> Alex
>>
>>>
>>> "The /proc/I<pid>/setgroups file"
> 
> 
> I assume this is as intended, i.e. like in the other bug report 
> where you said you fixed it the other way around?
> 
> Then I add a WONTFIX, of course.

Ahh, now I understand.  Since you didn't use B<> in the report,
I didn't think you referred to the subsection heading.

Now that I think, it should be inverted here too.  The file name
should be in italics, and the variable part in roman.

Cheers,

Alex

> 
> Greetings
> 
>            Helge
> 

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Issue in man page user_namespaces.7

[Helge Kreutzmann]

[-- Attachment #1: Type: text/plain, Size: 1658 bytes --]

Hello Alex,
On Sun, Mar 12, 2023 at 12:25:12AM +0100, Alejandro Colomar wrote:
> Hi Helge,
> 
> On 3/11/23 18:13, Helge Kreutzmann wrote:
> > Without further ado, the following was found:
> > 
> > Issue:    /proc/I<pid>/setgroups → I</proc/>pidI</setgroups
> 
> I don't find this.  Please report with more context.

       Writing "deny" to the /proc/pid/setgroups file before writing to /proc/pid/gid_map will permanently disable setgroups(2) in a user namespace and allow writing to /proc/pid/gid_map without having the CAP_SETGID capability in the
       parent user namespace.

   The /proc/pid/setgroups file
       The /proc/pid/setgroups file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call; it displays "deny" if setgroups(2) is not permitted
       in that user namespace.  Note that regardless of the value in the /proc/pid/setgroups file (and regardless of the process's capabilities), calls to setgroups(2) are also not permitted if /proc/pid/gid_map has not yet been set.

> Cheers,
> 
> Alex
> 
> > 
> > "The /proc/I<pid>/setgroups file"


I assume this is as intended, i.e. like in the other bug report 
where you said you fixed it the other way around?

Then I add a WONTFIX, of course.

Greetings

           Helge

-- 
      Dr. Helge Kreutzmann                     debian@helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 398 bytes --]

Hi Helge,

On 3/11/23 18:13, Helge Kreutzmann wrote:
> Without further ado, the following was found:
> 
> Issue:    /proc/I<pid>/setgroups → I</proc/>pidI</setgroups

I don't find this.  Please report with more context.

Cheers,

Alex

> 
> "The /proc/I<pid>/setgroups file"

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    /proc/I<pid>/setgroups → I</proc/>pidI</setgroups

"The /proc/I<pid>/setgroups file"

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 2492 bytes --]

Hi Helge,

On 1/22/23 20:31, Helge Kreutzmann wrote:
> Without further ado, the following was found:
> 
> Issue 1:  I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
> Issue 2:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
> Issue 3:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
> 
> "Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to"
> "I</proc/ pid /gid_map> will permanently disable B<setgroups>(2)  in a user"
> "namespace and allow writing to I</proc/ pid /gid_map> without having the"
> "B<CAP_SETGID> capability in the parent user namespace."

Fixed.

Thanks,
Alex


commit d752f865c0355435519c41470ad4cf33ae8557ae (HEAD -> master)
Author: Alejandro Colomar <alx@kernel.org>
Date:   Sun Jan 22 22:15:17 2023 +0100

     user_namespaces.7: ffix

     Reported-by: Helge Kreutzmann <debian@helgefjell.de>
     Cc: Mario Blaettermann <mario.blaettermann@gmail.com>
     Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 838c09278..73d8a4eb8 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -722,9 +722,9 @@ .SS Interaction with system calls that change process UIDs 
or GIDs
  Writing
  .RI \(dq deny \(dq
  to the
-.I /proc/ pid /setgroups
+.IR /proc/ pid /setgroups
  file before writing to
-.I /proc/ pid /gid_map
+.IR /proc/ pid /gid_map
  .\" Things changed in Linux 3.19
  .\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
  .\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
@@ -732,14 +732,14 @@ .SS Interaction with system calls that change process UIDs 
or GIDs
  will permanently disable
  .BR setgroups (2)
  in a user namespace and allow writing to
-.I /proc/ pid /gid_map
+.IR /proc/ pid /gid_map
  without having the
  .B CAP_SETGID
  capability in the parent user namespace.
  .\"
  .\" ============================================================
  .\"
-.SS The /proc/ pid /setgroups file
+.SS The /proc/\fIpid\fP/setgroups file
  .\"
  .\" commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
  .\" commit 66d2f338ee4c449396b6f99f5e75cd18eb6df272
@@ -839,7 +839,7 @@ .SS The /proc/ pid /setgroups file
  this user namespace.
  .PP
  The
-.I /proc/ pid /setgroups
+.IR /proc/ pid /setgroups
  file was added in Linux 3.19,
  but was backported to many earlier stable kernel series,
  because it addresses a security issue.


-- 
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    /proc/ pid /setgroups → I</proc/>pidI</setgroups

"The /proc/ pid /setgroups file"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue 1:  I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
Issue 2:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
Issue 3:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>

"Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to "
"I</proc/ pid /gid_map> will permanently disable B<setgroups>(2)  in a user "
"namespace and allow writing to I</proc/ pid /gid_map> without having the "
"B<CAP_SETGID> capability in the parent user namespace."

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 612 bytes --]



On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
> 
> Issue:    I<usage()>  → I<usage>()
> 
> "The program below is designed to allow experimenting with user namespaces,"
> "as well as other types of namespaces.  It creates namespaces as specified by"
> "command-line options and then executes a command inside those namespaces."
> "The comments and I<usage()> function inside the program provide a full"
> "explanation of the program.  The following shell session demonstrates its"
> "use."

Fixed.  Thanks.

-- 
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Issue in man page user_namespaces.7

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 747 bytes --]



On 12/4/22 10:07, Helge Kreutzmann wrote:
> Without further ado, the following was found:
> 
> Issue 1:  The same is also of other → The same is true also for other
> Issue 2:  Missing full stop at the end
> 
> "In order to determine permissions when an unprivileged process accesses a"
> "file, the process credentials (UID, GID) and the file credentials are in"
> "effect mapped back to what they would be in the initial user namespace and"
> "then compared to determine the permissions that the process has on the"
> "file.  The same is also of other objects that employ the credentials plus"
> "permissions mask accessibility model, such as System V IPC objects"

Fixed.  Thanks.

-- 
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    /proc/[pid]/setgroups → I</proc/[PID]/setgroups>

"The /proc/[pid]/setgroups file"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    I<usage()>  → I<usage>()

"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces.  It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces.  "
"The comments and I<usage()> function inside the program provide a full "
"explanation of the program.  The following shell session demonstrates its "
"use."

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue 1:  The same is also of other → The same is true also for other
Issue 2:  Missing full stop at the end

"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file.  The same is also of other objects that employ the credentials plus "
"permissions mask accessibility model, such as System V IPC objects"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue 1:  I</proc/ pid /setgroups> → I</proc/>pidI</setgroups>
Issue 2:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>
Issue 3:  I</proc/ pid /gid_map> → I</proc/>pidI</gid_map>

"Writing \"I<deny>\" to the I</proc/ pid /setgroups> file before writing to "
"I</proc/ pid /gid_map> will permanently disable B<setgroups>(2)  in a user "
"namespace and allow writing to I</proc/ pid /gid_map> without having the "
"B<CAP_SETGID> capability in the parent user namespace."

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    /proc/ pid /setgroups → I</proc/>pidI</setgroups

"The /proc/ pid /setgroups file"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    I<usage()>  → I<usage>()

"The program below is designed to allow experimenting with user namespaces, "
"as well as other types of namespaces.  It creates namespaces as specified by "
"command-line options and then executes a command inside those namespaces.  "
"The comments and I<usage()> function inside the program provide a full "
"explanation of the program.  The following shell session demonstrates its "
"use."

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:    Text missing? in order to drop → in order to drop privileges?

"/* Linux 3.19 made a change in the handling of setgroups(2) and the\n"
"   \\(aqgid_map\\(aq file to address a security issue. The issue allowed\n"
"   *unprivileged* users to employ user namespaces in order to drop\n"
"   The upshot of the 3.19 changes is that in order to update the\n"
"   \\(aqgid_maps\\(aq file, use of the setgroups() system call in this\n"
"   user namespace must first be disabled by writing \"deny\" to one of\n"
"   the /proc/PID/setgroups files for this namespace.  That is the\n"
"   purpose of the following function. */\n"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue:   /proc/[pid]/setgroups → I</proc/[PID]/setgroups>

"The /proc/[pid]/setgroups file"

Issue in man page user_namespaces.7

[Helge Kreutzmann]

Without further ado, the following was found:

Issue 1:  The same is also of other → The same is true also for other
Issue 2:  Missing full stop at the end

"In order to determine permissions when an unprivileged process accesses a "
"file, the process credentials (UID, GID) and the file credentials are in "
"effect mapped back to what they would be in the initial user namespace and "
"then compared to determine the permissions that the process has on the "
"file.  The same is also of other objects that employ the credentials plus "
"permissions mask accessibility model, such as System V IPC objects"