Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755887AbdLVOWJ (ORCPT ); Fri, 22 Dec 2017 09:22:09 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:41155 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752170AbdLVOWH (ORCPT ); Fri, 22 Dec 2017 09:22:07 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Aleksa Sarai Cc: Maciej =?utf-8?Q?=C5=BBenczykowski?= , Linux Containers , linux-security-module@vger.kernel.org, Mahesh Bandewar , Linux Kernel Mailing List , Willem de Bruijn References: <20171221210605.181720-1-zenczykowski@gmail.com> <87wp1foiwa.fsf@xmission.com> <87fu83lfw5.fsf@xmission.com> <20171222021733.rerkt6mhpf3cb3oe@gordon> Date: Fri, 22 Dec 2017 08:21:38 -0600 In-Reply-To: <20171222021733.rerkt6mhpf3cb3oe@gordon> (Aleksa Sarai's message of "Fri, 22 Dec 2017 13:17:34 +1100") Message-ID: <87r2rmg7wt.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1eSOD7-0006OD-ES;;;mid=<87r2rmg7wt.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.133.177;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19vBl2YHO6NNB/jTbX0NCa6Ruy82+ckfAM= X-SA-Exim-Connect-IP: 67.3.133.177 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 2.5 XMWhlSbjSex Whole Obfuscated Subjects * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4847] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;Aleksa Sarai X-Spam-Relay-Country: X-Spam-Timing: total 493 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 2.3 (0.5%), b_tie_ro: 1.62 (0.3%), parse: 0.78 (0.2%), extract_message_metadata: 12 (2.5%), get_uri_detail_list: 1.39 (0.3%), tests_pri_-1000: 7 (1.5%), tests_pri_-950: 1.23 (0.2%), tests_pri_-900: 0.96 (0.2%), tests_pri_-400: 19 (3.9%), check_bayes: 18 (3.7%), b_tokenize: 6 (1.2%), b_tok_get_all: 6 (1.2%), b_comp_prob: 2.1 (0.4%), b_tok_touch_all: 2.3 (0.5%), b_finish: 0.58 (0.1%), tests_pri_0: 442 (89.8%), check_dkim_signature: 0.46 (0.1%), check_dkim_adsp: 2.9 (0.6%), tests_pri_500: 3.9 (0.8%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1862 Lines: 38 Aleksa Sarai writes: > On 2017-12-21, Eric W. Biederman wrote: >> Good point about CAP_DAC_OVERRIDE on files you own. >> >> I think there is an argument that you are playing dangerous games with >> the permission system there, as it isn't effectively a file you own if >> you can't read it, and you can't change it's permissions. > > This problem reminds me of the whole "unmapped group" problem. If you > have access to a file through an unmapped group you can still access a > file -- which to me is wrong. I understand the need for checking > unmapped groups in order to fix the "chmod 707" problem, but I think > that unmapped groups should only *block* access and never *grant* it. > > I was working on a patch for that issue a while ago but it touched more > VFS than I was comfortable with. Eric, is that a fix you would be > interested in? I am not certain. I don't see how there is a problem with an unmapped group granting permissions. You are talking about a scenario where a more privileged login program set your groups, and uid and gid. The process despite being a user namespace does not have permission to transition them. As such I don't see the harm. But spell it out for me, and deal with ensuring we don't have user space regressions and I will take a patch that improves the security of user namespaces. I think the issue that raised all of this is that dropping a group can in rare instances increase permissions. I have heard people grumble at me that the way I handle it with /etc/subuid might break things on some people's systems. AKA don't allow it by default but allow root to configure a way for people using user namespaces to do that. I have yet to see someone come forward and say that is a problem in the real world. If it actually is a problem I want to hear about it. Eric