| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <54DC7C3D.4040100@gmail.com> Date: Thu, 12 Feb 2015 11:11:09 +0100 From: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> CC: mtk.manpages@...il.com, Linux Containers <containers@...ts.linux-foundation.org>, Josh Triplett <josh@...htriplett.org>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Linux API <linux-api@...r.kernel.org>, linux-man <linux-man@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, LSM <linux-security-module@...r.kernel.org>, Casey Schaufler <casey@...aufler-ca.com>, "Serge E. Hallyn" <serge@...lyn.com>, Richard Weinberger <richard@....at>, Kenton Varda <kenton@...dstorm.io>, stable <stable@...r.kernel.org>, Andy Lutomirski <luto@...capital.net> Subject: Re: [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups On 02/11/2015 03:01 PM, Eric W. Biederman wrote: > "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> writes: > >> Hi Eric, >> >> Ping! >> >> Cheers, >> >> Michael >> >> >> On 2 February 2015 at 16:37, Michael Kerrisk (man-pages) >> <mtk.manpages@...il.com> wrote: >>> Hi Eric, >>> >>> Thanks for writing this up! >>> >>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote: >>>> >>>> Files with access permissions such as ---rwx---rwx give fewer >>>> permissions to their group then they do to everyone else. Which means >>>> dropping groups with setgroups(0, NULL) actually grants a process >>>> privileges. >>>> >>>> The uprivileged setting of gid_map turned out not to be safe after > ^^^^^^^^^^^ > unprivileged -- typo fix Thanks for confirming. >>>> this change. Privilege setting of gid_map can be interpreted as >>>> meaning yes it is ok to drop groups. >>> >>> I had trouble to parse that sentence (and I'd like to make sure that >>> the right sentence ends up in the commit message). Did you mean: >>> >>> "*Unprivileged* setting of gid_map can be interpreted as meaning >>> yes it is ok to drop groups" >>> ? >>> >>> Or something else? > > > I meant: Setting of gid_map with privilege has been clarified to mean > that dropping groups is ok. This allows existing programs that set > gid_map with privilege to work without changes. That is newgidmap > continues to work unchanged. Thanks. I added that text to the changelog message. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists