| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Dec 2017 13:17:34 +1100
From: Aleksa Sarai <asarai@...e.de>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Maciej Żenczykowski <zenczykowski@...il.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-security-module@...r.kernel.org,
Mahesh Bandewar <maheshb@...gle.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH] userns: honour no_new_privs for cap_bset during user ns
creation/switch
On 2017-12-21, Eric W. Biederman <ebiederm@...ssion.com> wrote:
> Good point about CAP_DAC_OVERRIDE on files you own.
>
> I think there is an argument that you are playing dangerous games with
> the permission system there, as it isn't effectively a file you own if
> you can't read it, and you can't change it's permissions.
This problem reminds me of the whole "unmapped group" problem. If you
have access to a file through an unmapped group you can still access a
file -- which to me is wrong. I understand the need for checking
unmapped groups in order to fix the "chmod 707" problem, but I think
that unmapped groups should only *block* access and never *grant* it.
I was working on a patch for that issue a while ago but it touched more
VFS than I was comfortable with. Eric, is that a fix you would be
interested in?
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists