[PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch
asarai at suse.de
Fri Dec 22 02:17:34 UTC 2017
On 2017-12-21, Eric W. Biederman <ebiederm at xmission.com> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.
This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.
I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
Senior Software Engineer (Containers)
SUSE Linux GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Containers