From: ebiederm@xmission.com (Eric W. Biederman)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
Date: Fri, 22 Dec 2017 08:21:38 -0600 [thread overview]
Message-ID: <87r2rmg7wt.fsf@xmission.com> (raw)
In-Reply-To: <20171222021733.rerkt6mhpf3cb3oe@gordon> (Aleksa Sarai's message of "Fri, 22 Dec 2017 13:17:34 +1100")
Aleksa Sarai <asarai@suse.de> writes:
> On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Good point about CAP_DAC_OVERRIDE on files you own.
>>
>> I think there is an argument that you are playing dangerous games with
>> the permission system there, as it isn't effectively a file you own if
>> you can't read it, and you can't change it's permissions.
>
> This problem reminds me of the whole "unmapped group" problem. If you
> have access to a file through an unmapped group you can still access a
> file -- which to me is wrong. I understand the need for checking
> unmapped groups in order to fix the "chmod 707" problem, but I think
> that unmapped groups should only *block* access and never *grant* it.
>
> I was working on a patch for that issue a while ago but it touched more
> VFS than I was comfortable with. Eric, is that a fix you would be
> interested in?
I am not certain. I don't see how there is a problem with an unmapped
group granting permissions. You are talking about a scenario where a
more privileged login program set your groups, and uid and gid. The
process despite being a user namespace does not have permission to
transition them. As such I don't see the harm.
But spell it out for me, and deal with ensuring we don't have user space
regressions and I will take a patch that improves the security of user
namespaces.
I think the issue that raised all of this is that dropping a group can
in rare instances increase permissions. I have heard people grumble at
me that the way I handle it with /etc/subuid might break things on some
people's systems. AKA don't allow it by default but allow root to
configure a way for people using user namespaces to do that. I have yet
to see someone come forward and say that is a problem in the real world.
If it actually is a problem I want to hear about it.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"Linux Containers" <containers@lists.linux-foundation.org>,
linux-security-module@vger.kernel.org,
"Mahesh Bandewar" <maheshb@google.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Willem de Bruijn" <willemb@google.com>
Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
Date: Fri, 22 Dec 2017 08:21:38 -0600 [thread overview]
Message-ID: <87r2rmg7wt.fsf@xmission.com> (raw)
In-Reply-To: <20171222021733.rerkt6mhpf3cb3oe@gordon> (Aleksa Sarai's message of "Fri, 22 Dec 2017 13:17:34 +1100")
Aleksa Sarai <asarai@suse.de> writes:
> On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Good point about CAP_DAC_OVERRIDE on files you own.
>>
>> I think there is an argument that you are playing dangerous games with
>> the permission system there, as it isn't effectively a file you own if
>> you can't read it, and you can't change it's permissions.
>
> This problem reminds me of the whole "unmapped group" problem. If you
> have access to a file through an unmapped group you can still access a
> file -- which to me is wrong. I understand the need for checking
> unmapped groups in order to fix the "chmod 707" problem, but I think
> that unmapped groups should only *block* access and never *grant* it.
>
> I was working on a patch for that issue a while ago but it touched more
> VFS than I was comfortable with. Eric, is that a fix you would be
> interested in?
I am not certain. I don't see how there is a problem with an unmapped
group granting permissions. You are talking about a scenario where a
more privileged login program set your groups, and uid and gid. The
process despite being a user namespace does not have permission to
transition them. As such I don't see the harm.
But spell it out for me, and deal with ensuring we don't have user space
regressions and I will take a patch that improves the security of user
namespaces.
I think the issue that raised all of this is that dropping a group can
in rare instances increase permissions. I have heard people grumble at
me that the way I handle it with /etc/subuid might break things on some
people's systems. AKA don't allow it by default but allow root to
configure a way for people using user namespaces to do that. I have yet
to see someone come forward and say that is a problem in the real world.
If it actually is a problem I want to hear about it.
Eric
next prev parent reply other threads:[~2017-12-22 14:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-21 21:06 [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch Maciej Żenczykowski
2017-12-21 21:06 ` Maciej Żenczykowski
[not found] ` <20171221210605.181720-1-zenczykowski-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-12-21 21:44 ` Eric W. Biederman
2017-12-21 21:44 ` Eric W. Biederman
2017-12-21 21:44 ` Eric W. Biederman
[not found] ` <87wp1foiwa.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-12-22 1:03 ` Maciej Żenczykowski
2017-12-22 1:03 ` Maciej Żenczykowski
2017-12-22 1:03 ` Maciej Żenczykowski
[not found] ` <CAHo-OoyrOr5jXwU-j4Z4qYdWo40+qAdAk0r+OpfMUZ6LgbS-RA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-22 1:18 ` Eric W. Biederman
2017-12-22 1:18 ` Eric W. Biederman
2017-12-22 1:18 ` Eric W. Biederman
2017-12-22 1:51 ` Maciej Żenczykowski
2017-12-22 1:51 ` Maciej Żenczykowski
[not found] ` <CAHo-OoxoTEZuQ0ZXa9a2BnjAv83y0UWC0eqn-ok9hS31LkiiSA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-22 14:08 ` Eric W. Biederman
2017-12-22 14:08 ` Eric W. Biederman
2017-12-22 14:08 ` Eric W. Biederman
2018-01-03 11:23 ` Christian Brauner
2018-01-03 11:23 ` Christian Brauner
[not found] ` <87o9mqhn3v.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-01-03 11:23 ` Christian Brauner
[not found] ` <87fu83lfw5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-12-22 1:51 ` Maciej Żenczykowski
2017-12-22 2:17 ` Aleksa Sarai
2017-12-22 2:17 ` Aleksa Sarai
2017-12-22 14:21 ` Eric W. Biederman
2017-12-22 14:21 ` Eric W. Biederman [this message]
2017-12-22 14:21 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r2rmg7wt.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.