lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201011205306.GC17441@localhost>
Date:   Sun, 11 Oct 2020 13:53:06 -0700
From:   Josh Triplett <josh@...htriplett.org>
To:     "Serge E. Hallyn" <serge@...lyn.com>
Cc:     Christian Brauner <christian.brauner@...ntu.com>,
        containers@...ts.linux-foundation.org,
        Alexander Mihalicyn <alexander@...alicyn.com>,
        Mrunal Patel <mpatel@...hat.com>, Wat Lim <watl@...gle.com>,
        Aleksa Sarai <cyphar@...har.com>,
        Pavel Tikhomirov <ptikhomirov@...tuozzo.com>,
        Geoffrey Thomas <geofft@...reload.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Joseph Christopher Sible <jcsible@...t.org>,
        Mickaël Salaün <mic@...ikod.net>,
        Vivek Goyal <vgoyal@...hat.com>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        Andy Lutomirski <luto@...capital.net>,
        Stephane Graber <stgraber@...ntu.com>,
        Kees Cook <keescook@...omium.org>,
        Sargun Dhillon <sargun@...gun.me>, linux-kernel@...r.kernel.org
Subject: Re: LPC 2020 Hackroom Session: summary and next steps for isolated
 user namespaces

On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> > 3. Find a way to allow setgroups() in a user namespace while keeping
> >    in mind the case of groups used for negative access control.
> >    This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to
> >    investigate adding a prctl() to allow setgroups() to be called in a user
> >    namespace at the cost of restricting paths to the most restrictive
> >    permission. So if something is 0707 it needs to be treated as if it's 0000
> >    even though the caller is not in its owning group which is used for negative
> >    access control (how these new semantics will interact with ACLs will also
> >    need to be looked into).
> 
> I should probably think this through more, but for this problem, would it
> not suffice to add a new prevgroups grouplist to the struct cred, maybe
> struct group_info *locked_groups, and every time an unprivileged task creates
> a new user namespace, add all its current groups to this list?

So, effectively, you would be allowed to drop permissions, but
locked_groups would still be checked for restrictions?

That seems like it'd introduce a new level of complexity (a new facet of
permission) to manage. Not opposed, but it does seem more complex than
just opting out of using groups for negative permissions.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ