Unprivileged containers and co-ordinating user namespaces

James Bottomley James.Bottomley at HansenPartnership.com
Wed May 4 18:21:33 UTC 2016


On Wed, 2016-05-04 at 14:17 -0400, James Bottomley wrote:
> > Certainly it has been that way for quite a while now.
> 
> I don't quite get this.  If setgroups is set to deny and I have a set
> of group mappings, I still can't get rid of the negative acl group. 
>  I can map it to a different gid inside my container, or I can not 
> map  it at all, but in either case I still can't get access to 
> anything with the negative acl group marker because the group 
> permission checks occurs with the kguid_t set which includes my 
> mapped or unmapped group.  The only way I can lose it is to call
> sys_setgroups().

Sorry, this next bit should be at the end of the email (I was playing
and typing at the same time):

> It's a bit ugly because I have to enter the container with --preserve
> -credentials and I can't su to myself if I enter as root (-S 0), I 
> have to re-enter as myself instead, but it works.
> 
> > Except for the negative acl aspect there are no issues with 
> > dropping groups, as setgroups will limit you to the groups allowed 
> > in your user namespace.
> 
> Well, notwithstanding the merits of negative acls, which I don't want
> to debate because I don't think they're that useful, the use case 
> might be that a user possessing a negative acl still wants to use an
> architecture emulation container for building.  Installing such a
> container requires being able to set a set of groups and uids 
> (required by the installer), but it doesn't require the 
> sys_setgroups() system call, so they could reasonably be given the 
> ability to set one up with the nosetgroups flag and a range of gids 
> allocated in subgid to ensure they still can't get access to 
> resources denied by the negative acl group.

It's a bit ugly because I have to enter the container with --preserve
-credentials and I can't su to myself if I enter as root (-S 0), I have
to re-enter as myself instead, but it works.

James



More information about the Containers mailing list