Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
newgidmap: add deny_setgroups flag to /etc/subgid
Add a new deny_setgroups (and corresponding allow_setgroups) flag to /etc/subgid. The purpose of this flag is to extend the security protections against CVE-2018-7169, so that even group mapping configured in /etc/subgid by an administrator can still disable setgroups. However, rather than the fairly lenient semantics for self-mapping, the semantics of /etc/subgid are stronger. If a mapping is encountered where "deny_setgroups" is set, then no other mapping can "undo" this restriction. The reason for this is that "deny_setgroups" indicates that (according to the administrator) the mapping is unsafe to allow setgroups in, and adding more mappings will not change this fact. "allow_setgroups" is the default, and setting it is a noop. The logic used when applying setgroups policies is unchanged (only denies are written, and we don't write anything if it's already denied). Signed-off-by: Aleksa Sarai <[email protected]>
- Loading branch information