Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp756025ybb; Thu, 28 Mar 2019 11:32:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqxSN4a+HNKUm2BGlcCY7vDzp802ZlI5v5wWdsz9MnHLupzTTgU4aAv/utydZtJjwv9aoe0u X-Received: by 2002:a17:902:31c3:: with SMTP id x61mr43780026plb.143.1553797921990; Thu, 28 Mar 2019 11:32:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553797921; cv=none; d=google.com; s=arc-20160816; b=gvng7/f+kowfCH97W4ErK8/LRJN6hLr8xLounMU8ntYoUf1FkZOHAxcXjJe/9dRC/j Tf2GeCDt/eUqQnTY/1MBAv1JRCfnAhg1VqLu1jDRBjmjmp9TcHxtuKTzB7Un0qT5OUej AZ97sH5DMEuXv5C7xzFrlSmw+h1q1/y7aM2ZLxOXVySMSg+pr2LRRw5NfWNmJlfIVnGP wuxXZVXtXstxo+CUgab0WtL6zefNyMaDcdzIQoJC/XTYgHctrV3h07YNOe6IgNg2A7YQ /0Al5a/F4gm2LkcB07nBod/BemcFupQ+W5QQ8sLvVzZPOFrKoiAL4HlK8K5SA0/KEHik A95A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=EuoDoE27aCvvgTv07QgoMgpiETbkC3kgRDZDoyuN6DI=; b=C3dOlJeUWYP+jAu6p8T+bpnJ5TH1pTCBJ1lrUJDe7TqnsHAlpkLZwPsiKcMNqRa995 rvtHsmdBzJECumwCwDmNasfjf4szVAOvjDXwtg2bt+84s6M6ZlL1IKU+CJ4Buii3I6tr cQywL48alcjqGtZXjoMLuZiqQrCmDzrSZXQTF8ROsrrdrZOn//4bl/bb65wCe3gAAjN0 mlnkkzz6zxMrqPFXvNQOU1xt/ZICYLHEaL8IHTiRmQTL3t6so7MflHxvyXYhMF6Z3RsR PXtDb0pqXew8bzNhBs+4xcESPKVcuVBABWwMiajZFZBgWnylWYja0AZ7e/wWG1zUkZq2 p2+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MMUPz6JN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k13si21461840pgo.246.2019.03.28.11.31.44; Thu, 28 Mar 2019 11:32:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MMUPz6JN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726131AbfC1SbF (ORCPT + 99 others); Thu, 28 Mar 2019 14:31:05 -0400 Received: from mail-io1-f52.google.com ([209.85.166.52]:46008 "EHLO mail-io1-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725939AbfC1SbF (ORCPT ); Thu, 28 Mar 2019 14:31:05 -0400 Received: by mail-io1-f52.google.com with SMTP id s7so18054510iom.12 for ; Thu, 28 Mar 2019 11:31:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EuoDoE27aCvvgTv07QgoMgpiETbkC3kgRDZDoyuN6DI=; b=MMUPz6JNT1zX2O65vTd9Nwq2h4OBuGV0tiLxJc4Gpyk4/jCxkq5Chf4GRpUqt9GTQh kaWtL5Xf37vT2rB1ItaokV37O6PdCF4qjF3+8cvLmLKun4UG/GkwS5tygrWY72joqc+S C0dZi1rKK18gwWP2GblrF1Yh0cbal8FnrQn2yHc5lMYo7zvxeWw0OWN+9/m0jRgGdBan k/HA9XJ6UCCQj4ZTB95kxJv8eC9Mj/yMg8AIAggHlqf3G1tOuBDTUMs5c9iMc3hP1f54 f+uZ0TgwuUhlrqLb/gpd5GVmJOgTspAg4+zOAZ7SA7mDaHqIbtTwFS5dLGmJYHI06KGM K+DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EuoDoE27aCvvgTv07QgoMgpiETbkC3kgRDZDoyuN6DI=; b=KFgPtHbi8UZFfsIAssazrK410LQOyM+/a2/KIZWBGpgDriOVBRTopFVrSpw9s1PR3z 7umQcOUUOhaI9iEjdQf2ENwQ23EySQXiv522QLXQZNITwVr3A7trNJfOYbP6N+EFKZvR caZZFTbwdtHvNZL9kktZlJV3OTjitceW+Hl76eWlG6/mq+Plb7hq715W4fRqVejCy7Wm csMmIzZdHo+rZfsxb/DjMPXbSp02HCFBQ+Q3g7Gj3NcuUT9jy5YSG6dlLSDnmuDxwBbc IO5HWnyhNrhqaCrRrI7EhR9qeLS8OMZb4uyfnx34kVETUJwugR6aW1FwX7asZ3oWemYZ c0xg== X-Gm-Message-State: APjAAAU0TTYtIed4dJ+QWEG2E7xkNlxJ+9KkliuPBitl6Gx2h6YYUFNV tLwwu/u+hFwvWbiyxB6Ltn5zjjzqHu1W4XrAJQJe4w== X-Received: by 2002:a6b:3f86:: with SMTP id m128mr13534331ioa.275.1553797864243; Thu, 28 Mar 2019 11:31:04 -0700 (PDT) MIME-Version: 1.0 References: <20190328180503.GA16249@mail.hallyn.com> In-Reply-To: <20190328180503.GA16249@mail.hallyn.com> From: Dmitry Torokhov Date: Thu, 28 Mar 2019 11:30:52 -0700 Message-ID: Subject: Re: Allowing mapping supplemental groups in user namespace? To: "Serge E. Hallyn" Cc: "Eric W. Biederman" , lkml Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Serge, On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > Hi Eric, > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > only map effective group id in the new user namespace. Would it be > > possible to relax this rule to also allow mapping of supplemental > > groups (1:1) of the caller? > > > > Thanks. > > > > -- > > Dmitry > > Hi, > > Is there a use case where adding those to /etc/subgid is onerous? > (There probably is, just would like to see yours) We on Chrome OS limit number of suid binaries installed on the system, so newgidmap does not have necessary privileges to carry out this operation. Also we are looking for a solution that we can use with our minijail package where spawning additional binary is challenging even if it was suid. Thanks. -- Dmitry -- Dmitry