diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2015-03-04 14:21:23 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2015-03-04 15:11:02 +0100 |
| commit | ecb0ff30e86e0cf87fbcd8e13a496b89e8470d7e (patch) | |
| tree | 1dd6d5f596cafd9559a0e374643d2f4dae786f66 /man7/user_namespaces.7 | |
| parent | d6add5efa20c98f4160449e22502cabd7c4d57ba (diff) | |
| download | man-pages-ecb0ff30e86e0cf87fbcd8e13a496b89e8470d7e.tar.gz | |
user_namespaces.7: Explain why the /proc/PID/setgroups file was added
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 15501a26f4..bc4dd478ab 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -716,6 +716,45 @@ to the file) in this user namespace. .BR EPERM .) This restriction also propagates down to all child user namespaces of this user namespace. + +The +.I /proc/[pid]/setgroups +file was added in Linux 3.19, +but was backported to many earlier stable kernel series, +because it addresses a security issue. +The issue concerned files with permissions such as "rwx\-\-\-rwx". +Such files give fewer permissions to "group" than they do to "other". +This means that dropping groups using +.BR setgroups (2) +might allow a process file access that it did not formerly have. +Before the existence of user namespaces this was not a concern, +since only a privileged process (one with the +.BR CAP_SETGID +capability) could call +.BR setgroups (2). +However, with the introduction of user namespaces, +it became possible for an unprivileged process to create +a new namespace in which the user had all privileges. +This then allowed formerly unprivileged +users to drop groups and thus gain file access +that they did not previously have. +The +.I /proc/[pid]/setgroups +file was added to address this security issue, +by denying any pathway for an unprivleged process to drop groups with +.BR setgroups (2). +.\" +.\" /proc/PID/setgroups +.\" [allow == setgroups() is allowed, "deny" == setgroups() is disallowed] +.\" * Can write if have CAP_SYS_ADMIN in NS +.\" * Must write BEFORE writing to /proc/PID/gid_map +.\" +.\" setgroups() +.\" * Must already have written to gid_maps +.\" * /proc/PID/setgroups must be "allow" +.\" +.\" /proc/PID/gid_map -- writing +.\" * Must already have written "deny" to /proc/PID/setgroups .\" .\" ============================================================ .\" |