Re: [PATCH 2/3] user_namespaces.7: Document pitfall with negative permissions and user namespaces

[Alejandro Colomar <alx@kernel.org>]

[-- Attachment #1.1: Type: text/plain, Size: 3498 bytes --]

Hi Richard,

On 2023-08-29 22:58, Richard Weinberger wrote:
> It is little known that user namespaces and some helpers
> can be used to bypass negative permissions.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> This patch applies to the Linux man-pages project.
> ---
>  man7/user_namespaces.7 | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
> index a65854d737cf..4927e194bcdc 100644
> --- a/man7/user_namespaces.7
> +++ b/man7/user_namespaces.7
> @@ -1067,6 +1067,35 @@ the remaining unsupported filesystems
>  Linux 3.12 added support for the last of the unsupported major filesystems,
>  .\" commit d6970d4b726cea6d7a9bc4120814f95c09571fc3
>  XFS.
> +.SS Negative permissions and Linux user namespaces
> +While it is technically feasible to establish negative permissions through

Please use semantic newlines.

$ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p'
   Use semantic newlines
     In the source of a manual page, new sentences should  be  started
     on new lines, long sentences should be split into lines at clause
     breaks  (commas, semicolons, colons, and so on), and long clauses
     should be split at phrase boundaries.  This convention, sometimes
     known as "semantic newlines", makes it easier to see  the  effect
     of  patches,  which often operate at the level of individual sen‐
     tences, clauses, or phrases.

> +DAC or ACL settings, such an approach is widely regarded as a suboptimal
> +practice. Furthermore, the utilization of Linux user namespaces introduces the

Two spaces after period, if at all.  But note that semantic newlines
preclude that possibility.

> +potential to circumvent specific negative permissions.  This issue stems
> +from the fact that privileged helpers, such as
> +.BR newuidmap (1) ,

Thas second space is spurious.

> +enable unprivileged users to create user namespaces with subordinate user and
> +group IDs. As a consequence, users can drop group memberships, resulting
> +in a situation where negative permissions based on group membership no longer
> +apply.
> +

Use .PP instead of blanks.

> +Example:
> +.in +4n
> +.EX
> +$ \fBid\fP
> +uid=1000(rw) gid=1000(rw) groups=1000(rw),1001(nogames)
> +$ \fBunshare -S 0 -G 0 --map-users=100000,0,65536 --map-groups=100000,0,65536 id\fP
> +uid=0(root) gid=0(root) groups=0(root)

This example is not working:

$ echo bar > foo
$ sudo chmod g= foo
$ sudo chown man foo
$ ls -l foo
-rw----r-- 1 man alx 4 Aug 29 23:28 foo
$ cat foo 
cat: foo: Permission denied
$ id
uid=1000(alx) gid=1000(alx) groups=1000(alx),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(lpadmin),118(scanner)
$ unshare ‐S 0 ‐G 0 ‐‐map‐users=100000,0,65536 ‐‐map‐groups=100000,0,65536 id
unshare: failed to execute ‐S: No such file or directory


> +.EE
> +.in
> +
> +User rw got rid of it's supplementary groups and can now access files that
> +have been protected using negative permissions that match groups such as \fBnogames\fP.
> +Please note that the
> +.BR unshare (1)
> +tool uses internally
> +.BR newuidmap (1) .
> +

Cheers,
Alex

>  .\"
>  .SH EXAMPLES
>  The program below is designed to allow experimenting with

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]