Unprivileged containers and co-ordinating user namespaces
James.Bottomley at HansenPartnership.com
Wed May 4 18:21:33 UTC 2016
On Wed, 2016-05-04 at 14:17 -0400, James Bottomley wrote:
> > Certainly it has been that way for quite a while now.
> I don't quite get this. If setgroups is set to deny and I have a set
> of group mappings, I still can't get rid of the negative acl group.
> I can map it to a different gid inside my container, or I can not
> map it at all, but in either case I still can't get access to
> anything with the negative acl group marker because the group
> permission checks occurs with the kguid_t set which includes my
> mapped or unmapped group. The only way I can lose it is to call
Sorry, this next bit should be at the end of the email (I was playing
and typing at the same time):
> It's a bit ugly because I have to enter the container with --preserve
> -credentials and I can't su to myself if I enter as root (-S 0), I
> have to re-enter as myself instead, but it works.
> > Except for the negative acl aspect there are no issues with
> > dropping groups, as setgroups will limit you to the groups allowed
> > in your user namespace.
> Well, notwithstanding the merits of negative acls, which I don't want
> to debate because I don't think they're that useful, the use case
> might be that a user possessing a negative acl still wants to use an
> architecture emulation container for building. Installing such a
> container requires being able to set a set of groups and uids
> (required by the installer), but it doesn't require the
> sys_setgroups() system call, so they could reasonably be given the
> ability to set one up with the nosetgroups flag and a range of gids
> allocated in subgid to ensure they still can't get access to
> resources denied by the negative acl group.
It's a bit ugly because I have to enter the container with --preserve
-credentials and I can't su to myself if I enter as root (-S 0), I have
to re-enter as myself instead, but it works.
More information about the Containers