Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755887AbdLVOWJ (ORCPT <rfc822;w@1wt.eu>);
        Fri, 22 Dec 2017 09:22:09 -0500
Received: from out03.mta.xmission.com ([166.70.13.233]:41155 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752170AbdLVOWH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Dec 2017 09:22:07 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: Maciej =?utf-8?Q?=C5=BBenczykowski?= <zenczykowski@gmail.com>,
        Linux Containers <containers@lists.linux-foundation.org>,
        linux-security-module@vger.kernel.org,
        Mahesh Bandewar <maheshb@google.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Willem de Bruijn <willemb@google.com>
References: <20171221210605.181720-1-zenczykowski@gmail.com>
        <87wp1foiwa.fsf@xmission.com>
        <CAHo-OoyrOr5jXwU-j4Z4qYdWo40+qAdAk0r+OpfMUZ6LgbS-RA@mail.gmail.com>
        <87fu83lfw5.fsf@xmission.com> <20171222021733.rerkt6mhpf3cb3oe@gordon>
Date: Fri, 22 Dec 2017 08:21:38 -0600
In-Reply-To: <20171222021733.rerkt6mhpf3cb3oe@gordon> (Aleksa Sarai's message
        of "Fri, 22 Dec 2017 13:17:34 +1100")
Message-ID: <87r2rmg7wt.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1eSOD7-0006OD-ES;;;mid=<87r2rmg7wt.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.133.177;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX19vBl2YHO6NNB/jTbX0NCa6Ruy82+ckfAM=
X-SA-Exim-Connect-IP: 67.3.133.177
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  2.5 XMWhlSbjSex Whole Obfuscated Subjects
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4847]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ***;Aleksa Sarai <asarai@suse.de>
X-Spam-Relay-Country: 
X-Spam-Timing: total 493 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.3 (0.5%), b_tie_ro: 1.62 (0.3%), parse: 0.78 (0.2%),
        extract_message_metadata: 12 (2.5%), get_uri_detail_list: 1.39 (0.3%),
        tests_pri_-1000: 7 (1.5%), tests_pri_-950: 1.23 (0.2%), tests_pri_-900: 0.96
        (0.2%), tests_pri_-400: 19 (3.9%), check_bayes: 18 (3.7%), b_tokenize: 6
        (1.2%), b_tok_get_all: 6 (1.2%), b_comp_prob: 2.1 (0.4%), b_tok_touch_all:
        2.3 (0.5%), b_finish: 0.58 (0.1%), tests_pri_0: 442 (89.8%),
        check_dkim_signature: 0.46 (0.1%), check_dkim_adsp: 2.9 (0.6%),
        tests_pri_500: 3.9 (0.8%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1862
Lines: 38

Aleksa Sarai <asarai@suse.de> writes:

> On 2017-12-21, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Good point about CAP_DAC_OVERRIDE on files you own.
>> 
>> I think there is an argument that you are playing dangerous games with
>> the permission system there, as it isn't effectively a file you own if
>> you can't read it, and you can't change it's permissions.
>
> This problem reminds me of the whole "unmapped group" problem. If you
> have access to a file through an unmapped group you can still access a
> file -- which to me is wrong. I understand the need for checking
> unmapped groups in order to fix the "chmod 707" problem, but I think
> that unmapped groups should only *block* access and never *grant* it.
>
> I was working on a patch for that issue a while ago but it touched more
> VFS than I was comfortable with. Eric, is that a fix you would be
> interested in?

I am not certain.  I don't see how there is a problem with an unmapped
group granting permissions.  You are talking about a scenario where a
more privileged login program set your groups, and uid and gid.  The
process despite being a user namespace does not have permission to
transition them.  As such I don't see the harm.

But spell it out for me, and deal with ensuring we don't have user space
regressions and I will take a patch that improves the security of user
namespaces.

I think the issue that raised all of this is that dropping a group can
in rare instances increase permissions.  I have heard people grumble at
me that the way I handle it with /etc/subuid might break things on some
people's systems.  AKA don't allow it by default but allow root to
configure a way for people using user namespaces to do that.  I have yet
to see someone come forward and say that is a problem in the real world.
If it actually is a problem I want to hear about it.

Eric