From: Frank van Maarseveen <frankvm@frankvm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: frankvm@frankvm.com, akpm@osdl.org, aia21@cam.ac.uk,
arjan@infradead.org, linux-kernel@vger.kernel.org
Subject: Re: FUSE merging? (2)
Date: Mon, 4 Jul 2005 11:59:14 +0200 [thread overview]
Message-ID: <20050704095914.GA6949@janus> (raw)
In-Reply-To: <E1DpMkg-00064O-00@dorka.pomaz.szeredi.hu>
On Mon, Jul 04, 2005 at 10:56:30AM +0200, Miklos Szeredi wrote:
> > It is important because on UNIX, "root" rules on local filesystems.
> > I dont't like the idea of root not being able to run "find -xdev"
> > anymore for administrative tasks, just because something got hidden
> > by accident or just for fun by a user. It's not about malicious
> > users who want to hide data: they can do that in tons of ways.
>
> That's a sort of security by obscurity: if the user is dumb enough he
> cannot do any harm. But I'm not interested in that sort of thing. If
> this issue important, then it should be solved properly, and not just
> by "preventing accidents".
"solving it properly" refers to hardening the leaf node constraint
against circumvention I assume. Suppose there's a script for doing simple
on-line backups using "find". Now explain to the user why he lost his
data due to a backup script geting EACCES on a non-leaf FUSE mount. I
don't think that's acceptable. On the other hand, when the user stored
something _deliberately_ under a mountpoint, circumventing the leaf node
constraint by some trickery then it is clearly his own fault when the data
is lost. Anyway, a leaf node constraint can be hardened against misuse
later on, should it become necessary. Your bind-mount case to circumvent
this restriction is slightly flawed because it requires root interaction.
>
> There's a nice solution to this (discussed at length earlier): private
> namespaces.
I thought that's rejected because a process doesn't automatically get the
right namespace after rsh into such a machine? And fixing it by adjusting
the name-space of a process (by whatever means) is not transparent.
> I think we are still confusing these two issues, which are in fact
> separate.
>
> 1) polluting global namespace is bad (find -xdev issue)
>
> 2) not ptraceable (or not killable) processes should not be able to
> access an unprivileged mount
>
> For 1) private namespaces are the proper solution. For 2) the
> fuse_allow_task() in it's current or modified form (to check
> killability) should be OK.
>
> 1) is completely orthogonal to FUSE. 2) is currently provably secure,
> and doesn't seem cause problems in practice. Do you have a concrete
> example, where it would cause problems?
See above backup scenario.
Issues (1) and (2) are tied together I'm afraid:
When using a private name-space and thus assuming an unrelated process
needs to do something very special to get that name-space then (2)
would not be needed at all.
On the other hand, Name-space inheritance by setuid processes suddenly
becomes an issue: issue (2) is re-appearing but at another place.
--
Frank
next prev parent reply other threads:[~2005-07-04 10:11 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-30 9:19 FUSE merging? Miklos Szeredi
2005-06-30 9:27 ` Andrew Morton
2005-06-30 9:51 ` Miklos Szeredi
2005-06-30 10:00 ` Arjan van de Ven
2005-06-30 10:12 ` Miklos Szeredi
2005-06-30 10:20 ` Arjan van de Ven
2005-06-30 10:24 ` Miklos Szeredi
2005-06-30 19:39 ` Avuton Olrich
2005-07-01 6:23 ` Miklos Szeredi
2005-06-30 11:13 ` Anton Altaparmakov
2005-06-30 19:46 ` Andrew Morton
2005-06-30 20:00 ` Andrew Morton
2005-07-01 6:40 ` Miklos Szeredi
2005-06-30 22:28 ` Frank van Maarseveen
2005-07-01 6:58 ` Miklos Szeredi
2005-07-01 9:24 ` Frank van Maarseveen
2005-07-01 10:27 ` Miklos Szeredi
2005-07-01 12:00 ` Frank van Maarseveen
2005-07-01 12:36 ` Miklos Szeredi
2005-07-01 13:05 ` Frank van Maarseveen
2005-07-01 13:21 ` Miklos Szeredi
2005-07-01 15:20 ` Frank van Maarseveen
2005-07-01 17:04 ` Miklos Szeredi
2005-07-01 18:04 ` Frank van Maarseveen
2005-07-01 19:35 ` Jeremy Maitin-Shepard
2005-07-02 14:49 ` Miklos Szeredi
2005-07-02 16:00 ` Frank van Maarseveen
2005-07-03 6:16 ` Miklos Szeredi
2005-07-03 11:25 ` Frank van Maarseveen
2005-07-03 13:24 ` Miklos Szeredi
2005-07-03 13:50 ` Frank van Maarseveen
2005-07-03 14:03 ` Miklos Szeredi
2005-07-03 14:10 ` FUSE merging? (2) Frank van Maarseveen
2005-07-03 15:47 ` Miklos Szeredi
2005-07-03 19:36 ` Frank van Maarseveen
2005-07-04 8:56 ` Miklos Szeredi
2005-07-04 9:59 ` Frank van Maarseveen [this message]
2005-07-04 10:27 ` Miklos Szeredi
2005-07-04 11:26 ` Frank van Maarseveen
2005-07-01 6:36 ` FUSE merging? Miklos Szeredi
2005-07-01 6:50 ` Andrew Morton
2005-07-01 7:07 ` Miklos Szeredi
2005-07-01 7:14 ` Andrew Morton
2005-07-01 7:27 ` Miles Bader
2005-07-01 7:38 ` Miklos Szeredi
2005-07-01 8:02 ` Andrew Morton
2005-07-01 10:11 ` Miklos Szeredi
2005-07-01 11:29 ` Andrew Morton
2005-07-01 12:00 ` Miklos Szeredi
2005-07-01 12:53 ` Anton Altaparmakov
2005-07-01 13:07 ` Anton Altaparmakov
2005-07-01 13:51 ` Frank van Maarseveen
2005-07-01 13:29 ` Eric Van Hensbergen
2005-07-01 16:45 ` Matthias Urlichs
2005-07-01 12:08 ` Frank van Maarseveen
2005-07-01 13:21 ` Eric Van Hensbergen
2005-07-01 13:53 ` Miklos Szeredi
2005-07-01 14:18 ` Eric Van Hensbergen
2005-07-01 14:31 ` Miklos Szeredi
2005-07-02 10:01 ` Eric W. Biederman
2005-07-02 14:58 ` Miklos Szeredi
2005-07-02 16:43 ` Eric Van Hensbergen
2005-07-02 17:33 ` Eric W. Biederman
2005-07-03 19:39 ` Pavel Machek
2005-07-04 8:38 ` Miklos Szeredi
[not found] ` <20050704084900.GG15370@elf.ucw.cz>
2005-07-04 9:02 ` Miklos Szeredi
2005-07-04 10:46 ` Pekka Enberg
2005-07-01 12:37 ` bert hubert
2005-07-01 7:46 ` Frederik Deweerdt
2005-07-01 9:47 ` Miklos Szeredi
2005-07-01 9:36 ` Frank van Maarseveen
2005-07-01 10:45 ` Miklos Szeredi
2005-07-01 11:34 ` Frank van Maarseveen
2005-06-30 10:16 ` Miklos Szeredi
2005-06-30 16:30 ` Pavel Machek
[not found] <4ly7J-14H-9@gated-at.bofh.it>
[not found] ` <4lRDA-4U-55@gated-at.bofh.it>
[not found] ` <4lSJa-16Z-7@gated-at.bofh.it>
[not found] ` <4m5ZG-2ok-1@gated-at.bofh.it>
[not found] ` <4maPM-5XJ-5@gated-at.bofh.it>
[not found] ` <4mcHV-7no-21@gated-at.bofh.it>
[not found] ` <4mduc-7Zg-1@gated-at.bofh.it>
[not found] ` <4mfcJ-UT-17@gated-at.bofh.it>
[not found] ` <4mitV-3mL-3@gated-at.bofh.it>
[not found] ` <4mv7Q-2Ki-19@gated-at.bofh.it>
[not found] ` <4mwdG-3AP-15@gated-at.bofh.it>
[not found] ` <4mwwX-3N9-9@gated-at.bofh.it>
2005-07-04 13:09 ` FUSE merging? (2) Bodo Eggert
2005-07-04 13:17 ` Miklos Szeredi
2005-07-04 15:19 ` Ragnar Kjørstad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050704095914.GA6949@janus \
--to=frankvm@frankvm.com \
--cc=aia21@cam.ac.uk \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.