Navigation
Search
|
[$] Sticky groups in the shadows
Friday May 14, 2021. 05:58 PM , from LWN.net
Group membership is normally used to grant access to some resource;
examples might include using groups to control access to a shared directory, a printer, or the ability to use tools like sudo. It is possible, though, to use group membership to deny access to a resource instead, and some administrators make use of that feature. But groups only work as a negative credential if the user cannot shed them at will. Occasionally, some way to escape a group has turned up, resulting in vulnerabilities on systems where they are used to block access; despite fixes in the past, it turns out that there is still a potential problem with groups and user namespaces; this patch set from Giuseppe Scrivano seeks to mitigate it through the creation of 'shadow' groups.
https://lwn.net/Articles/855943/rss
|
25 sources
Current Date
Apr, Thu 25 - 06:30 CEST
|