On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
> 
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.

This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.

I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
interested in?

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>