| Message ID | 20230829205833.14873-4-richard@nod.at (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Document impact of user namespaces and negative permissions | expand |
On Tue, Aug 29, 2023 at 10:58:33PM +0200, Richard Weinberger wrote: > It is little known that user namespaces and some helpers > can be used to bypass negative permissions. > > Signed-off-by: Richard Weinberger <richard@nod.at> > --- > This patch applies to the shadow project. > --- > man/subgid.5.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/man/subgid.5.xml b/man/subgid.5.xml > index e473768d..8ed281e5 100644 > --- a/man/subgid.5.xml > +++ b/man/subgid.5.xml > @@ -55,6 +55,15 @@ > <filename>/etc/subgid</filename> if subid delegation is managed via subid > files. > </para> > + <para> > + Additionally, it's worth noting that the utilization of subordinate group > + IDs can affect the enforcement of negative permissions. User can drop their > + supplementary groups and bypass certain negative permissions. > + For more details see > + <citerefentry> > + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum> > + </citerefentry>. > + </para> > </refsect1> Looks good to me (content), Acked-by: Christian Brauner <brauner@kernel.org>
diff --git a/man/subgid.5.xml b/man/subgid.5.xml index e473768d..8ed281e5 100644 --- a/man/subgid.5.xml +++ b/man/subgid.5.xml @@ -55,6 +55,15 @@ <filename>/etc/subgid</filename> if subid delegation is managed via subid files. </para> + <para> + Additionally, it's worth noting that the utilization of subordinate group + IDs can affect the enforcement of negative permissions. User can drop their + supplementary groups and bypass certain negative permissions. + For more details see + <citerefentry> + <refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> </refsect1> <refsect1 id='local-subordinate-delegation'>
It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@nod.at> --- This patch applies to the shadow project. --- man/subgid.5.xml | 9 +++++++++ 1 file changed, 9 insertions(+)