From: Aleksa Sarai <asarai@suse.de>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"Linux Containers" <containers@lists.linux-foundation.org>,
linux-security-module@vger.kernel.org,
"Mahesh Bandewar" <maheshb@google.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Willem de Bruijn" <willemb@google.com>
Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
Date: Fri, 22 Dec 2017 13:17:34 +1100 [thread overview]
Message-ID: <20171222021733.rerkt6mhpf3cb3oe@gordon> (raw)
In-Reply-To: <87fu83lfw5.fsf@xmission.com>
[-- Attachment #1: Type: text/plain, Size: 947 bytes --]
On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
>
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.
This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.
I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
interested in?
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-12-22 2:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-21 21:06 [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch Maciej Żenczykowski
2017-12-21 21:44 ` Eric W. Biederman
2017-12-22 1:03 ` Maciej Żenczykowski
2017-12-22 1:18 ` Eric W. Biederman
2017-12-22 1:51 ` Maciej Żenczykowski
2017-12-22 14:08 ` Eric W. Biederman
2018-01-03 11:23 ` Christian Brauner
2017-12-22 2:17 ` Aleksa Sarai [this message]
2017-12-22 14:21 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171222021733.rerkt6mhpf3cb3oe@gordon \
--to=asarai@suse.de \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maheshb@google.com \
--cc=willemb@google.com \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).