[PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch

Aleksa Sarai asarai at suse.de
Fri Dec 22 02:17:34 UTC 2017


On 2017-12-21, Eric W. Biederman <ebiederm at xmission.com> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
> 
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.

This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.

I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
interested in?

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20171222/5e449626/attachment-0001.sig>


More information about the Containers mailing list