Re: Allowing mapping supplemental groups in user namespace?
On Thu, Mar 28, 2019 at 11:37 AM Serge E. Hallyn wrote: > > On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > > Hi Serge, > > > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > > Hi Eric, > > > > > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > > > only map effective group id in the new user namespace. Would it be > > > > possible to relax this rule to also allow mapping of supplemental > > > > groups (1:1) of the caller? > > > > > > > > Thanks. > > > > > > > > -- > > > > Dmitry > > > > > > Hi, > > > > > > Is there a use case where adding those to /etc/subgid is onerous? > > > (There probably is, just would like to see yours) > > > > We on Chrome OS limit number of suid binaries installed on the system, > > so newgidmap does not have necessary privileges to carry out this > > good goal in general so long as you don't take a few huge > monolithic suid binaries instad of more simpler ones :) > > > operation. Also we are looking for a solution that we can use with our > > minijail package where spawning additional binary is challenging even > > if it was suid. > > Ok. So fwiw I think what you propose should be ok. I think you should > post a patch to do it. It's very possible that seeing that patch will > remind us of the reason why it *is* a bad idea, but seeing the patch may > be a required shock to elicit that memory. OK, I will cook up something. Thanks. -- Dmitry
Re: Allowing mapping supplemental groups in user namespace?
On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > Hi Serge, > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > Hi Eric, > > > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > > only map effective group id in the new user namespace. Would it be > > > possible to relax this rule to also allow mapping of supplemental > > > groups (1:1) of the caller? > > > > > > Thanks. > > > > > > -- > > > Dmitry > > > > Hi, > > > > Is there a use case where adding those to /etc/subgid is onerous? > > (There probably is, just would like to see yours) > > We on Chrome OS limit number of suid binaries installed on the system, > so newgidmap does not have necessary privileges to carry out this good goal in general so long as you don't take a few huge monolithic suid binaries instad of more simpler ones :) > operation. Also we are looking for a solution that we can use with our > minijail package where spawning additional binary is challenging even > if it was suid. Ok. So fwiw I think what you propose should be ok. I think you should post a patch to do it. It's very possible that seeing that patch will remind us of the reason why it *is* a bad idea, but seeing the patch may be a required shock to elicit that memory. -serge
Re: Allowing mapping supplemental groups in user namespace?
Hi Serge, On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > Hi Eric, > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > only map effective group id in the new user namespace. Would it be > > possible to relax this rule to also allow mapping of supplemental > > groups (1:1) of the caller? > > > > Thanks. > > > > -- > > Dmitry > > Hi, > > Is there a use case where adding those to /etc/subgid is onerous? > (There probably is, just would like to see yours) We on Chrome OS limit number of suid binaries installed on the system, so newgidmap does not have necessary privileges to carry out this operation. Also we are looking for a solution that we can use with our minijail package where spawning additional binary is challenging even if it was suid. Thanks. -- Dmitry -- Dmitry
Re: Allowing mapping supplemental groups in user namespace?
On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > Hi Eric, > > Currently, unless caller has CAP_SETGID in parent namespace, we can > only map effective group id in the new user namespace. Would it be > possible to relax this rule to also allow mapping of supplemental > groups (1:1) of the caller? > > Thanks. > > -- > Dmitry Hi, Is there a use case where adding those to /etc/subgid is onerous? (There probably is, just would like to see yours) thanks, -serge
Allowing mapping supplemental groups in user namespace?
Hi Eric, Currently, unless caller has CAP_SETGID in parent namespace, we can only map effective group id in the new user namespace. Would it be possible to relax this rule to also allow mapping of supplemental groups (1:1) of the caller? Thanks. -- Dmitry