From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"Linux Containers" <containers@lists.linux-foundation.org>,
linux-security-module@vger.kernel.org,
"Mahesh Bandewar" <maheshb@google.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Willem de Bruijn" <willemb@google.com>
Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
Date: Fri, 22 Dec 2017 08:21:38 -0600 [thread overview]
Message-ID: <87r2rmg7wt.fsf@xmission.com> (raw)
In-Reply-To: <20171222021733.rerkt6mhpf3cb3oe@gordon> (Aleksa Sarai's message of "Fri, 22 Dec 2017 13:17:34 +1100")
Aleksa Sarai <asarai@suse.de> writes:
> On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Good point about CAP_DAC_OVERRIDE on files you own.
>>
>> I think there is an argument that you are playing dangerous games with
>> the permission system there, as it isn't effectively a file you own if
>> you can't read it, and you can't change it's permissions.
>
> This problem reminds me of the whole "unmapped group" problem. If you
> have access to a file through an unmapped group you can still access a
> file -- which to me is wrong. I understand the need for checking
> unmapped groups in order to fix the "chmod 707" problem, but I think
> that unmapped groups should only *block* access and never *grant* it.
>
> I was working on a patch for that issue a while ago but it touched more
> VFS than I was comfortable with. Eric, is that a fix you would be
> interested in?
I am not certain. I don't see how there is a problem with an unmapped
group granting permissions. You are talking about a scenario where a
more privileged login program set your groups, and uid and gid. The
process despite being a user namespace does not have permission to
transition them. As such I don't see the harm.
But spell it out for me, and deal with ensuring we don't have user space
regressions and I will take a patch that improves the security of user
namespaces.
I think the issue that raised all of this is that dropping a group can
in rare instances increase permissions. I have heard people grumble at
me that the way I handle it with /etc/subuid might break things on some
people's systems. AKA don't allow it by default but allow root to
configure a way for people using user namespaces to do that. I have yet
to see someone come forward and say that is a problem in the real world.
If it actually is a problem I want to hear about it.
Eric
prev parent reply other threads:[~2017-12-22 14:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-21 21:06 [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch Maciej Żenczykowski
2017-12-21 21:44 ` Eric W. Biederman
2017-12-22 1:03 ` Maciej Żenczykowski
2017-12-22 1:18 ` Eric W. Biederman
2017-12-22 1:51 ` Maciej Żenczykowski
2017-12-22 14:08 ` Eric W. Biederman
2018-01-03 11:23 ` Christian Brauner
2017-12-22 2:17 ` Aleksa Sarai
2017-12-22 14:21 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r2rmg7wt.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=asarai@suse.de \
--cc=containers@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maheshb@google.com \
--cc=willemb@google.com \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).