Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns creation/switch

From: Aleksa Sarai
Date: Thu Dec 21 2017 - 21:17:48 EST


On 2017-12-21, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
>
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.

This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.

I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
interested in?

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Attachment: signature.asc
Description: PGP signature