Re: [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns

[Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>]

On Wed, Oct 15, 2014 at 04:07:34PM -0700, Andy Lutomirski wrote:
> On Wed, Oct 15, 2014 at 3:59 PM, Seth Forshee
> <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> wrote:
> > On Wed, Oct 15, 2014 at 10:05:46AM -0700, Andy Lutomirski wrote:
> >> On Wed, Oct 15, 2014 at 8:05 AM, Seth Forshee
> >> <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> wrote:
> >> > On Wed, Oct 15, 2014 at 07:49:39AM -0700, Andy Lutomirski wrote:
> >> >> On 10/14/2014 07:25 AM, Seth Forshee wrote:
> >> >> > Update fuse to translate uids and gids to/from the user namspace
> >> >> > of the process servicing requests on /dev/fuse. Any ids which do
> >> >> > not map into the namespace will result in errors. inodes will
> >> >> > also be marked bad when unmappable ids are received from
> >> >> > userspace.
> >> >> >
> >> >> > Due to security concerns the namespace used should be fixed,
> >> >> > otherwise a user might be able to gain elevated privileges or
> >> >> > influence processes that the user would otherwise be unable to
> >> >> > manipulate. Thus the namespace of the mounting process is used
> >> >> > for all translations, and this namespace is required to be the
> >> >> > same as the one in use when /dev/fuse was opened.
> >> >> >
> >> >>
> >> >> I'm not sure that this is necessary if my nosuid patch goes in, but I
> >> >> also don't think it makes any sense to hold this up while we find a
> >> >> perfect solution.
> >> >>
> >> >> Is there a decent way to extend this to different translation schemes in
> >> >> the future (e.g. a flag at fs setup that could be used)?
> >> >
> >> > I think it would be possible to relax the translation scheme
> >> > restrictions in the future, certainly that's easier than tightening down
> >> > a looser restriction. I still favor picking one namespace to use for
> >> > translation (surely that's how it would work with other filesystems
> >> > anyway) rather than using the current namespace during /dev/fuse I/O. I
> >> > did an implementation using the latter technique, and it's far more
> >> > complex with no benefits that I can see.
> >>
> >> Long term, I think we'll want more flexible translations for
> >> filesystems on removable media, even when both the mounter and the
> >> accessing process are in the init user namespace.  But this can wait.
> >
> > You've piqued my interest. What are you thinking of which would require
> > this flexibility?
> >
> 
> For an easy example, if I stick a USB stick into my computer and copy
> a file to it, I probably want the file to be owned by uid 0 in the FS
> metadata (but still owned by me as reported by stat(2) and friends).
> 
> For a more complex example, tools like Sandstorm (http://sandstorm.io)
> probably want to use FUSE mounted by an outer (non-root) userns and
> accessed from an inner userns.  With your patches, this *might* work,
> but it might also be a little tricky.

This at least should work fine with my patches so long as the fuse mount
has the allow_other option the inner userns is a descendant of the outer
ns. I don't think there's anything tricky, though I do suspect you'll
also want the default_permissions option.

Thanks,
Seth

> 
> I can also see this ability being extremely useful for NFS and other
> network filesystems, where keeping all the uids in sync is currently a
> royal PITA.
> 
> --Andy

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho