From: Ram Pai <linuxram@us.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: serue@us.ibm.com, akpm@linux-foundation.org,
linux-fsdevel@vger.kernel.org, containers@lists.osdl.org,
util-linux-ng@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [patch 0/8] unprivileged mount syscall
Date: Mon, 16 Apr 2007 01:18:29 -0700 [thread overview]
Message-ID: <1176711509.9488.4.camel@ram.us.ibm.com> (raw)
In-Reply-To: <E1HcMOq-0002As-00@dorka.pomaz.szeredi.hu>
On Fri, 2007-04-13 at 16:05 +0200, Miklos Szeredi wrote:
> > > Thinking a bit more about this, I'm quite sure most users wouldn't
> > > even want private namespaces. It would be enough to
> > >
> > > chroot /share/$USER
> > >
> > > and be done with it.
> > >
> > > Private namespaces are only good for keeping a bunch of mounts
> > > referenced by a group of processes. But my guess is, that the natural
> > > behavior for users is to see a persistent set of mounts.
> > >
> > > If for example they mount something on a remote machine, then log out
> > > from the ssh session and later log back in, they would want to see
> > > their previous mount still there.
> > >
> > > Miklos
> >
> > Agreed on desired behavior, but not on chroot sufficing. It actually
> > sounds like you want exactly what was outlined in the OLS paper.
> >
> > Users still need to be in a different mounts namespace from the admin
> > user so long as we consider the deluser and backup problems
>
> I don't think it matters, because /share/$USER duplicates a part or
> the whole of the user's namespace.
>
> So backup would have to be taught about /share anyway, and deluser
> operates on /home/$USER and not on /share/*, so there shouldn't be any
> problem.
>
> There's actually very little difference between rbind+chroot, and
> CLONE_NEWNS. In a private namespace:
>
> 1) when no more processes reference the namespace, the tree will be
> disbanded
>
> 2) the mount tree won't be accessible from outside the namespace
>
> Wanting a persistent namespace contradicts 1).
>
> Wanting a per-user (as opposed to per-session) namespace contradicts
> 2). The namespace _has_ to be accessible from outside, so that a new
> session can access/copy it.
As i mentioned in the previous mail, disbanding all the namespaces of a
user will not disband his mount tree, because a mirror of the mount tree
still continues to exist in /share/$USER in the admin namespace.
And a new user session can always use this copy to create a namespace
that looks identical to that which existed earlier.
>
> So both requirements point to the rbind/chroot solution.
Arn't there ways to escape chroot jails? Serge had pointed me to a URL
which showed chroots can be escaped. And if that is true than having all
user's private mount tree in the same namespace can be a security issue?
RP
>
> Miklos
WARNING: multiple messages have this Message-ID (diff)
From: Ram Pai <linuxram-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Miklos Szeredi <miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org>
Cc: serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
util-linux-ng-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [patch 0/8] unprivileged mount syscall
Date: Mon, 16 Apr 2007 01:18:29 -0700 [thread overview]
Message-ID: <1176711509.9488.4.camel@ram.us.ibm.com> (raw)
In-Reply-To: <E1HcMOq-0002As-00-VFwzv6uONVrxNFs70CDYszOMxtEWgIxa@public.gmane.org>
On Fri, 2007-04-13 at 16:05 +0200, Miklos Szeredi wrote:
> > > Thinking a bit more about this, I'm quite sure most users wouldn't
> > > even want private namespaces. It would be enough to
> > >
> > > chroot /share/$USER
> > >
> > > and be done with it.
> > >
> > > Private namespaces are only good for keeping a bunch of mounts
> > > referenced by a group of processes. But my guess is, that the natural
> > > behavior for users is to see a persistent set of mounts.
> > >
> > > If for example they mount something on a remote machine, then log out
> > > from the ssh session and later log back in, they would want to see
> > > their previous mount still there.
> > >
> > > Miklos
> >
> > Agreed on desired behavior, but not on chroot sufficing. It actually
> > sounds like you want exactly what was outlined in the OLS paper.
> >
> > Users still need to be in a different mounts namespace from the admin
> > user so long as we consider the deluser and backup problems
>
> I don't think it matters, because /share/$USER duplicates a part or
> the whole of the user's namespace.
>
> So backup would have to be taught about /share anyway, and deluser
> operates on /home/$USER and not on /share/*, so there shouldn't be any
> problem.
>
> There's actually very little difference between rbind+chroot, and
> CLONE_NEWNS. In a private namespace:
>
> 1) when no more processes reference the namespace, the tree will be
> disbanded
>
> 2) the mount tree won't be accessible from outside the namespace
>
> Wanting a persistent namespace contradicts 1).
>
> Wanting a per-user (as opposed to per-session) namespace contradicts
> 2). The namespace _has_ to be accessible from outside, so that a new
> session can access/copy it.
As i mentioned in the previous mail, disbanding all the namespaces of a
user will not disband his mount tree, because a mirror of the mount tree
still continues to exist in /share/$USER in the admin namespace.
And a new user session can always use this copy to create a namespace
that looks identical to that which existed earlier.
>
> So both requirements point to the rbind/chroot solution.
Arn't there ways to escape chroot jails? Serge had pointed me to a URL
which showed chroots can be escaped. And if that is true than having all
user's private mount tree in the same namespace can be a security issue?
RP
>
> Miklos
next prev parent reply other threads:[~2007-04-16 8:20 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-04 18:30 [patch 0/8] unprivileged mount syscall Miklos Szeredi
2007-04-04 18:30 ` [patch 1/8] add user mounts to the kernel Miklos Szeredi
2007-04-04 18:30 ` [patch 2/8] allow unprivileged umount Miklos Szeredi
2007-04-04 18:30 ` [patch 3/8] account user mounts Miklos Szeredi
2007-04-04 18:30 ` [patch 4/8] propagate error values from clone_mnt Miklos Szeredi
2007-04-04 18:30 ` [patch 5/8] allow unprivileged bind mounts Miklos Szeredi
2007-04-04 18:30 ` [patch 6/8] put declaration of put_filesystem() in fs.h Miklos Szeredi
2007-04-04 18:30 ` [patch 7/8] allow unprivileged mounts Miklos Szeredi
2007-04-04 18:30 ` [patch 8/8] allow unprivileged fuse mounts Miklos Szeredi
2007-04-06 23:02 ` [patch 0/8] unprivileged mount syscall Andrew Morton
2007-04-06 23:02 ` Andrew Morton
2007-04-06 23:16 ` H. Peter Anvin
2007-04-06 23:55 ` Jan Engelhardt
2007-04-07 0:22 ` H. Peter Anvin
2007-04-07 3:40 ` Eric Van Hensbergen
2007-04-07 6:48 ` Miklos Szeredi
2007-04-07 6:48 ` Miklos Szeredi
2007-04-10 8:52 ` Ian Kent
2007-04-11 10:48 ` Miklos Szeredi
2007-04-11 10:48 ` Miklos Szeredi
2007-04-11 13:48 ` Ian Kent
2007-04-11 14:26 ` Serge E. Hallyn
2007-04-11 14:26 ` Serge E. Hallyn
2007-04-11 14:27 ` Ian Kent
2007-04-11 14:27 ` Ian Kent
2007-04-11 14:45 ` Serge E. Hallyn
2007-04-11 14:45 ` Serge E. Hallyn
2007-04-07 6:41 ` Miklos Szeredi
2007-04-09 14:38 ` Serge E. Hallyn
2007-04-09 14:38 ` Serge E. Hallyn
2007-04-09 16:24 ` Miklos Szeredi
2007-04-09 16:24 ` Miklos Szeredi
2007-04-09 17:07 ` Serge E. Hallyn
2007-04-09 17:46 ` Ram Pai
2007-04-09 18:25 ` H. Peter Anvin
2007-04-10 10:33 ` Karel Zak
2007-04-09 20:10 ` Miklos Szeredi
2007-04-10 8:38 ` Ram Pai
2007-04-11 10:44 ` Miklos Szeredi
2007-04-11 18:28 ` Ram Pai
2007-04-11 18:28 ` Ram Pai
2007-04-13 11:58 ` Miklos Szeredi
2007-04-13 11:58 ` Miklos Szeredi
2007-04-13 13:28 ` Serge E. Hallyn
2007-04-13 13:28 ` Serge E. Hallyn
2007-04-13 14:05 ` Miklos Szeredi
2007-04-13 21:44 ` Serge E. Hallyn
2007-04-15 20:39 ` Miklos Szeredi
2007-04-15 20:39 ` Miklos Szeredi
2007-04-16 1:11 ` Serge E. Hallyn
2007-04-16 1:11 ` Serge E. Hallyn
2007-04-16 8:18 ` Ram Pai [this message]
2007-04-16 8:18 ` Ram Pai
2007-04-16 9:27 ` Miklos Szeredi
2007-04-16 9:27 ` Miklos Szeredi
2007-04-16 15:40 ` Eric W. Biederman
2007-04-16 15:55 ` Miklos Szeredi
2007-04-16 15:55 ` Miklos Szeredi
2007-04-13 20:07 ` Karel Zak
2007-04-15 20:21 ` Miklos Szeredi
2007-04-15 20:21 ` Miklos Szeredi
2007-04-16 7:59 ` Ram Pai
2007-04-16 7:59 ` Ram Pai
2007-04-09 18:57 ` Serge E. Hallyn
2007-04-09 20:14 ` Miklos Szeredi
2007-04-09 20:55 ` Serge E. Hallyn
[not found] ` <20070409205506.GC20226-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-04-11 19:43 ` Miklos Szeredi
[not found] ` <E1Hbiih-00060L-00-VFwzv6uONVrxNFs70CDYszOMxtEWgIxa@public.gmane.org>
2007-04-11 20:05 ` Serge E. Hallyn
2007-04-11 20:41 ` Miklos Szeredi
2007-04-11 20:57 ` Serge E. Hallyn
[not found] ` <20070404183012.429274832-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org>
2007-04-09 22:00 ` Serge E. Hallyn
2007-04-11 10:32 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1176711509.9488.4.camel@ram.us.ibm.com \
--to=linuxram@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serue@us.ibm.com \
--cc=util-linux-ng@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.