Received: by 2002:a05:6520:4211:b029:f4:110d:56bc with SMTP id o17csp1610108lkv;
        Wed, 19 May 2021 14:01:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwRTokb54zBSOPjDKs8HDZga9DQ4om54sLaECPyuC0fnOMxBAwl+xZ/DQVFqU4lPJfO30xh
X-Received: by 2002:a05:6e02:218f:: with SMTP id j15mr1063880ila.249.1621458076519;
        Wed, 19 May 2021 14:01:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621458076; cv=none;
        d=google.com; s=arc-20160816;
        b=LA523woxPlPZRYE5N5Y0/V4HOHY6VLFC1M0AEY8NITX+hgJoKgVBFS1J2HRiFrbYQY
         OukThhvAGRLEXm6E/d49FRQvmQ7BLeq34JFfjxr4Yre9LHE1BqB+eKtqnivvCyNXw0/I
         FvQzGrZaY/L2hFlj9euceUxP3hiiTcv8nTB0Ox3KdJhL0hSFOUUR92iyJKN4sc+SX2e8
         leMorethivTcSqBbQ4FgT6xLEX/NN4Dc9JmYFPeNV7qwNpas+mQcUVCZhJlxJpqxrlP1
         GHwjDgsti21CQtEzYwkgrsIFGu9pM0Sd/30SUucc81MyyYUTSWCaKjpQ609BNl5a6QAh
         uxuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=oFLElAPBYAHh6ttWBISj0fzfeB631rT/jKn4tkPzLzs=;
        b=PY1XBNdYpsbkxqFpYftIVm6kS0I9P+WjI9NCKhXlbQRVIPaGR0R/rKpe4QuLyl7P3F
         R1Iv4cz754HZofcVXaogitroCjmhQA8/O77z3tu/co4SG/y4aiBcLXsZwU30uc+09SXD
         pkiom85L7eMo8t2pQCtaSSLDF6A3QF4hrjHEHVhCZjRqQs3hYP93dxyQ6RMir5AK1dYC
         /B6/08JqagJkiNCmk9lGRwlv4ScO5v5B5SwYHtq6VMpd/1w007fjm5bpBpDBxiKIsqqH
         mkQyFD7KOjbSDpP9bmsKkV4P9knzKTDBvt9KX+VGNLjZ44SGSfJZgSZufWy6Jz/ie2AZ
         nxRw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v17si456391jan.123.2021.05.19.14.01.03;
        Wed, 19 May 2021 14:01:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347925AbhERJeF (ORCPT <rfc822;loic.yhuel@gmail.com>
        + 99 others); Tue, 18 May 2021 05:34:05 -0400
Received: from mail.kernel.org ([198.145.29.99]:45210 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S239643AbhERJeE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 May 2021 05:34:04 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 2D24461073;
        Tue, 18 May 2021 09:32:44 +0000 (UTC)
Date:   Tue, 18 May 2021 11:32:41 +0200
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     "Serge E. Hallyn" <serge@hallyn.com>
Cc:     Giuseppe Scrivano <gscrivan@redhat.com>,
        linux-kernel@vger.kernel.org, dwalsh@redhat.com,
        ebiederm@xmission.com
Subject: Re: [RFC PATCH 1/3] setgroups: new mode 'shadow' for
 /proc/PID/setgroups
Message-ID: <20210518093241.7hqs2hnlqeywvhp5@wittgenstein>
References: <20210510130011.1441834-1-gscrivan@redhat.com>
 <20210510130011.1441834-2-gscrivan@redhat.com>
 <20210515015157.GB2845@mail.hallyn.com>
 <87y2cdqyhj.fsf@redhat.com>
 <20210517143321.en2jy2gaxrhdhvub@wittgenstein>
 <20210517161713.GB25644@mail.hallyn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20210517161713.GB25644@mail.hallyn.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 17, 2021 at 11:17:13AM -0500, Serge Hallyn wrote:
> On Mon, May 17, 2021 at 04:33:21PM +0200, Christian Brauner wrote:
> > On Mon, May 17, 2021 at 03:30:16PM +0200, Giuseppe Scrivano wrote:
> > > >> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> > > >> index 8d62863721b0..b1940b63f7ac 100644
> > > >> --- a/kernel/user_namespace.c
> > > >> +++ b/kernel/user_namespace.c
> > > >> @@ -123,6 +123,7 @@ int create_user_ns(struct cred *new)
> > > >>  		ns->ucount_max[i] = INT_MAX;
> > > >>  	}
> > > >>  	ns->ucounts = ucounts;
> > > >> +	ns->shadow_group_info = get_current_groups();
> > > >
> > > > If userns u1 unshares u2 with shadow set, then when u2 unshares
> > > > u3, should u3 get the same shadowed set that u2 has, or should it
> > > > get all of u2's groups as u3's initial shadow set?
> > > 
> > > good question.  Thinking more of it, I think a reasonable interface is
> > > to expect a child userns to inherit the same shadow groups as its parent
> > > userns.  If "shadow" is written again to the /proc/PID/setgroups file
> > > then it grows shadow groups set to include the ones the userns had at
> > > creation time (which includes the parent shadow groups).  What do you
> > > think of it?  I'll play more with this idea and see if it works.
> > 
> > So when I initially looked at that proposal I was neither "yay" or "nay"
> > since it seemed useful to people and it looked somewhat straightforward
> > to implement.
> > 
> > But I do have concerns now after seeing this. The whole
> > /proc/<pid>/setgroups API is terrible in the first place and causes even
> > more special-casing in container runtimes then there already is. But it
> > fixes a security issue so ok we'll live with it.
> > 
> > But I'm not happy about extending its format to include more options. I
> > really don't want the precedent of adding magic keywords into this file.
> > 
> > Which brings me to my second concern. I think starting to magically
> > inherit group ids isn't a great idea. It's got a lot of potential for
> > confusion.
> > 
> > The point Serge here made makes this pretty obvious imho. I don't think
> > introducing the complexities of magic group inheritance is something we
> > should do.
> > 
> > Alternative proposal, can we solve this in userspace instead?
> > 
> > As has been pointed out there is a solution to this problem already
> > which is to explicitly map those groups through, i.e. punch holes for
> > the groups to be inherited.
> > 
> > So can't we introduce a new mode for newgidmap by e.g. introducing
> > another /etc/setgroups file or something similar that can be configured
> > by the administrator. It could take options, e.g. "shadow=always" which
> > could mean "everyone must inherit their groups" so newgidmap will punch
> > holes for the caller's groups when writing the gid mapping. We could
> > also extend this by making newgidmap take a command line switch so it's
> > on a case-by-case basis.
> > 
> > This is even more flexible since you could extend the new /etc/setgroups
> > file to specify a list of groups that must always be preserved. I'd
> > rather see something like this rather than a magic inheritance switch.
> > 
> > Christian
> 
> That sounds reasonable, but my concern is that admins currently using
> groups to deny file access will need to take extra steps to maintain
> that guarantee.  I think that falls under the category of a regression.
> Unless we make 'shadow=always' the default.  But then *that* will regress
> users who currently do not want that feature :)

I think this should simply be up to the administrator.

> 
> Anyway, if we do go this route - or maybe a login.defs option
> "ALLOW_UNPRIV_GROUPS_DROP" - perhaps we can also add a new /etc/subauxgroups
> file (TODO find a better name) which admins who are in the know can use to say
> "hallyn 2000" meaning "user hallyn cannot drop group 2000"

That sounds like something useful. Ideally integrated with the newly
added libsubid.

Christian