From patchwork Tue Aug 29 20:58:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Weinberger X-Patchwork-Id: 13369566 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB215C83F1C for ; Tue, 29 Aug 2023 20:59:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240564AbjH2U7H (ORCPT ); Tue, 29 Aug 2023 16:59:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240632AbjH2U6y (ORCPT ); Tue, 29 Aug 2023 16:58:54 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97F3A1BF; Tue, 29 Aug 2023 13:58:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 5B0386234894; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id fuS8b0GbR-6i; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id EFF8E6234895; Tue, 29 Aug 2023 22:58:46 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wdueR4L3iX8K; Tue, 29 Aug 2023 22:58:46 +0200 (CEST) Received: from blindfold.corp.sigma-star.at (84-115-238-89.cable.dynamic.surfer.at [84.115.238.89]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 7D0A06418DB5; Tue, 29 Aug 2023 22:58:46 +0200 (CEST) From: Richard Weinberger To: alx@kernel.org, serge@hallyn.com, christian@brauner.io, ipedrosa@redhat.com, gscrivan@redhat.com, andreas.gruenbacher@gmail.com Cc: acl-devel@nongnu.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, ebiederm@xmission.com, Richard Weinberger Subject: [PATCH 1/3] man: Document pitfall with negative permissions and user namespaces Date: Tue, 29 Aug 2023 22:58:31 +0200 Message-Id: <20230829205833.14873-2-richard@nod.at> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20230829205833.14873-1-richard@nod.at> References: <20230829205833.14873-1-richard@nod.at> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger Acked-by: Christian Brauner --- This patch applies to the acl software project. --- man/man5/acl.5 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/man/man5/acl.5 b/man/man5/acl.5 index 0db86b325617..2ed144742e37 100644 --- a/man/man5/acl.5 +++ b/man/man5/acl.5 @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. .Xr acl_from_mode 3 , .Xr acl_get_perm 3 , .Xr acl_to_any_text 3 +.Sh NOTES +.Ss Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +ACLs, such an approach is widely regarded as a suboptimal practice. +Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.Xr newuidmap 1 , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. +For more details, please refer to the +.Xr user_namespaces 7 +documentation. .Sh AUTHOR Andreas Gruenbacher, From patchwork Tue Aug 29 20:58:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Weinberger X-Patchwork-Id: 13369564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E6D4C83F1A for ; Tue, 29 Aug 2023 20:59:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240552AbjH2U7E (ORCPT ); Tue, 29 Aug 2023 16:59:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42854 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240630AbjH2U6y (ORCPT ); Tue, 29 Aug 2023 16:58:54 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 988EFCC2; Tue, 29 Aug 2023 13:58:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id CF4F46418DB0; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id CkVWw-zOtbhk; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 78DEF623489F; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Ug5bhtGMYFuy; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from blindfold.corp.sigma-star.at (84-115-238-89.cable.dynamic.surfer.at [84.115.238.89]) by lithops.sigma-star.at (Postfix) with ESMTPSA id EF4EB6418DB0; Tue, 29 Aug 2023 22:58:46 +0200 (CEST) From: Richard Weinberger To: alx@kernel.org, serge@hallyn.com, christian@brauner.io, ipedrosa@redhat.com, gscrivan@redhat.com, andreas.gruenbacher@gmail.com Cc: acl-devel@nongnu.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, ebiederm@xmission.com, Richard Weinberger Subject: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces Date: Tue, 29 Aug 2023 22:58:32 +0200 Message-Id: <20230829205833.14873-3-richard@nod.at> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20230829205833.14873-1-richard@nod.at> References: <20230829205833.14873-1-richard@nod.at> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger Acked-by: Christian Brauner --- This patch applies to the Linux man-pages project. --- man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index a65854d737cf..4927e194bcdc 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems Linux 3.12 added support for the last of the unsupported major filesystems, .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3 XFS. +.SS Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +DAC or ACL settings, such an approach is widely regarded as a suboptimal +practice. Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.BR newuidmap (1) , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. + +Example: +.in +4n +.EX +$ \fBid\fP +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP +uid=0(root) gid=0(root) groups=0(root) +.EE +.in + +User rw got rid of it's supplementary groups and can now access files that +have been protected using negative permissions that match groups such as \fBnogames\fP. +Please note that the +.BR unshare (1) +tool uses internally +.BR newuidmap (1) . + .\" .SH EXAMPLES The program below is designed to allow experimenting with From patchwork Tue Aug 29 20:58:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Weinberger X-Patchwork-Id: 13369565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3F63C71153 for ; Tue, 29 Aug 2023 20:59:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240531AbjH2U7D (ORCPT ); Tue, 29 Aug 2023 16:59:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240629AbjH2U6y (ORCPT ); Tue, 29 Aug 2023 16:58:54 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 986BECC0; Tue, 29 Aug 2023 13:58:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 33E6F6418DB5; Tue, 29 Aug 2023 22:58:48 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id qs0Nv5zehD6Y; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id DE64B623489F; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dENrN-Y_-S_h; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) Received: from blindfold.corp.sigma-star.at (84-115-238-89.cable.dynamic.surfer.at [84.115.238.89]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 6A94D6418DB5; Tue, 29 Aug 2023 22:58:47 +0200 (CEST) From: Richard Weinberger To: alx@kernel.org, serge@hallyn.com, christian@brauner.io, ipedrosa@redhat.com, gscrivan@redhat.com, andreas.gruenbacher@gmail.com Cc: acl-devel@nongnu.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, ebiederm@xmission.com, Richard Weinberger Subject: [PATCH 3/3] man: Document pitfall with negative permissions and user namespaces Date: Tue, 29 Aug 2023 22:58:33 +0200 Message-Id: <20230829205833.14873-4-richard@nod.at> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20230829205833.14873-1-richard@nod.at> References: <20230829205833.14873-1-richard@nod.at> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger Acked-by: Christian Brauner --- This patch applies to the shadow project. --- man/subgid.5.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/man/subgid.5.xml b/man/subgid.5.xml index e473768d..8ed281e5 100644 --- a/man/subgid.5.xml +++ b/man/subgid.5.xml @@ -55,6 +55,15 @@ /etc/subgid if subid delegation is managed via subid files. + + Additionally, it's worth noting that the utilization of subordinate group + IDs can affect the enforcement of negative permissions. User can drop their + supplementary groups and bypass certain negative permissions. + For more details see + + user_namespaces7 + . +