* Allowing mapping supplemental groups in user namespace? @ 2019-02-28 19:27 Dmitry Torokhov 2019-03-28 18:05 ` Serge E. Hallyn 0 siblings, 1 reply; 5+ messages in thread From: Dmitry Torokhov @ 2019-02-28 19:27 UTC (permalink / raw) To: Eric W. Biederman; +Cc: lkml, Serge E. Hallyn Hi Eric, Currently, unless caller has CAP_SETGID in parent namespace, we can only map effective group id in the new user namespace. Would it be possible to relax this rule to also allow mapping of supplemental groups (1:1) of the caller? Thanks. -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing mapping supplemental groups in user namespace? 2019-02-28 19:27 Allowing mapping supplemental groups in user namespace? Dmitry Torokhov @ 2019-03-28 18:05 ` Serge E. Hallyn 2019-03-28 18:30 ` Dmitry Torokhov 0 siblings, 1 reply; 5+ messages in thread From: Serge E. Hallyn @ 2019-03-28 18:05 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: Eric W. Biederman, lkml, Serge E. Hallyn On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > Hi Eric, > > Currently, unless caller has CAP_SETGID in parent namespace, we can > only map effective group id in the new user namespace. Would it be > possible to relax this rule to also allow mapping of supplemental > groups (1:1) of the caller? > > Thanks. > > -- > Dmitry Hi, Is there a use case where adding those to /etc/subgid is onerous? (There probably is, just would like to see yours) thanks, -serge ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing mapping supplemental groups in user namespace? 2019-03-28 18:05 ` Serge E. Hallyn @ 2019-03-28 18:30 ` Dmitry Torokhov 2019-03-28 18:37 ` Serge E. Hallyn 0 siblings, 1 reply; 5+ messages in thread From: Dmitry Torokhov @ 2019-03-28 18:30 UTC (permalink / raw) To: Serge E. Hallyn; +Cc: Eric W. Biederman, lkml Hi Serge, On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn <serge@hallyn.com> wrote: > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > Hi Eric, > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > only map effective group id in the new user namespace. Would it be > > possible to relax this rule to also allow mapping of supplemental > > groups (1:1) of the caller? > > > > Thanks. > > > > -- > > Dmitry > > Hi, > > Is there a use case where adding those to /etc/subgid is onerous? > (There probably is, just would like to see yours) We on Chrome OS limit number of suid binaries installed on the system, so newgidmap does not have necessary privileges to carry out this operation. Also we are looking for a solution that we can use with our minijail package where spawning additional binary is challenging even if it was suid. Thanks. -- Dmitry -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing mapping supplemental groups in user namespace? 2019-03-28 18:30 ` Dmitry Torokhov @ 2019-03-28 18:37 ` Serge E. Hallyn 2019-03-28 18:43 ` Dmitry Torokhov 0 siblings, 1 reply; 5+ messages in thread From: Serge E. Hallyn @ 2019-03-28 18:37 UTC (permalink / raw) To: Dmitry Torokhov; +Cc: Serge E. Hallyn, Eric W. Biederman, lkml On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > Hi Serge, > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn <serge@hallyn.com> wrote: > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > Hi Eric, > > > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > > only map effective group id in the new user namespace. Would it be > > > possible to relax this rule to also allow mapping of supplemental > > > groups (1:1) of the caller? > > > > > > Thanks. > > > > > > -- > > > Dmitry > > > > Hi, > > > > Is there a use case where adding those to /etc/subgid is onerous? > > (There probably is, just would like to see yours) > > We on Chrome OS limit number of suid binaries installed on the system, > so newgidmap does not have necessary privileges to carry out this <shrug> good goal in general so long as you don't take a few huge monolithic suid binaries instad of more simpler ones :) > operation. Also we are looking for a solution that we can use with our > minijail package where spawning additional binary is challenging even > if it was suid. Ok. So fwiw I think what you propose should be ok. I think you should post a patch to do it. It's very possible that seeing that patch will remind us of the reason why it *is* a bad idea, but seeing the patch may be a required shock to elicit that memory. -serge ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing mapping supplemental groups in user namespace? 2019-03-28 18:37 ` Serge E. Hallyn @ 2019-03-28 18:43 ` Dmitry Torokhov 0 siblings, 0 replies; 5+ messages in thread From: Dmitry Torokhov @ 2019-03-28 18:43 UTC (permalink / raw) To: Serge E. Hallyn; +Cc: Eric W. Biederman, lkml On Thu, Mar 28, 2019 at 11:37 AM Serge E. Hallyn <serge@hallyn.com> wrote: > > On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > > Hi Serge, > > > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn <serge@hallyn.com> wrote: > > > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > > Hi Eric, > > > > > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > > > only map effective group id in the new user namespace. Would it be > > > > possible to relax this rule to also allow mapping of supplemental > > > > groups (1:1) of the caller? > > > > > > > > Thanks. > > > > > > > > -- > > > > Dmitry > > > > > > Hi, > > > > > > Is there a use case where adding those to /etc/subgid is onerous? > > > (There probably is, just would like to see yours) > > > > We on Chrome OS limit number of suid binaries installed on the system, > > so newgidmap does not have necessary privileges to carry out this > > <shrug> good goal in general so long as you don't take a few huge > monolithic suid binaries instad of more simpler ones :) > > > operation. Also we are looking for a solution that we can use with our > > minijail package where spawning additional binary is challenging even > > if it was suid. > > Ok. So fwiw I think what you propose should be ok. I think you should > post a patch to do it. It's very possible that seeing that patch will > remind us of the reason why it *is* a bad idea, but seeing the patch may > be a required shock to elicit that memory. OK, I will cook up something. Thanks. -- Dmitry ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-28 18:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-02-28 19:27 Allowing mapping supplemental groups in user namespace? Dmitry Torokhov 2019-03-28 18:05 ` Serge E. Hallyn 2019-03-28 18:30 ` Dmitry Torokhov 2019-03-28 18:37 ` Serge E. Hallyn 2019-03-28 18:43 ` Dmitry Torokhov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox