From: "Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: "linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
richard -rw- weinberger
<richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Subject: Re: For review: user_namespace(7) man page
Date: Thu, 11 Sep 2014 07:47:17 -0700 [thread overview]
Message-ID: <5411B5F5.2090500@gmail.com> (raw)
In-Reply-To: <CALCETrV4WizRXD9JuwibUBbQE9hhNrRDJ3cYyXdhd=OfPziF5g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Hi Andy,
On 09/09/2014 12:26 PM, Andy Lutomirski wrote:
> On Tue, Sep 9, 2014 at 9:05 AM, Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>>
>> We may also want to discuss the specific restrictions on chroot.
>>
>> The text about chroot at least gives people a strong hint that the
>> chroot rules are affected by user namespaces.
>>
>> The restrictions that we have settled on to avoid chroot being a problem
>> are the creator of a user namespace must not be chrooted in their
>> current mount namespace, and the creator of the user namespace must not
>> be threaded.
>>
>> Andy can you check me on this it looks like unshare is currently buggy
>> in that it will allow a threaded application to create a user namespace.
>
> I think it's this code in unshare:
>
> /*
> * If unsharing a user namespace must also unshare the thread.
> */
> if (unshare_flags & CLONE_NEWUSER)
> unshare_flags |= CLONE_THREAD | CLONE_FS;
>
> I suppose that this should be documented.
>
> CLONE_FS prevents the chroot from leaking out of the namespace. (But
> see the other thread that I'm about to start...)
So, in the current draft of the setns(2) page, there is
CLONE_NEWNS
...
Since Linux 3.9, CLONE_NEWUSER also automatically implies
CLONE_FS.
Does that cover your point? Or did you mean that more needs to be said?
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
WARNING: multiple messages have this Message-ID (diff)
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: mtk.manpages@gmail.com, lkml <linux-kernel@vger.kernel.org>,
"linux-man@vger.kernel.org" <linux-man@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
richard -rw- weinberger <richard.weinberger@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: For review: user_namespace(7) man page
Date: Thu, 11 Sep 2014 07:47:17 -0700 [thread overview]
Message-ID: <5411B5F5.2090500@gmail.com> (raw)
In-Reply-To: <CALCETrV4WizRXD9JuwibUBbQE9hhNrRDJ3cYyXdhd=OfPziF5g@mail.gmail.com>
Hi Andy,
On 09/09/2014 12:26 PM, Andy Lutomirski wrote:
> On Tue, Sep 9, 2014 at 9:05 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
>>
>> We may also want to discuss the specific restrictions on chroot.
>>
>> The text about chroot at least gives people a strong hint that the
>> chroot rules are affected by user namespaces.
>>
>> The restrictions that we have settled on to avoid chroot being a problem
>> are the creator of a user namespace must not be chrooted in their
>> current mount namespace, and the creator of the user namespace must not
>> be threaded.
>>
>> Andy can you check me on this it looks like unshare is currently buggy
>> in that it will allow a threaded application to create a user namespace.
>
> I think it's this code in unshare:
>
> /*
> * If unsharing a user namespace must also unshare the thread.
> */
> if (unshare_flags & CLONE_NEWUSER)
> unshare_flags |= CLONE_THREAD | CLONE_FS;
>
> I suppose that this should be documented.
>
> CLONE_FS prevents the chroot from leaking out of the namespace. (But
> see the other thread that I'm about to start...)
So, in the current draft of the setns(2) page, there is
CLONE_NEWNS
...
Since Linux 3.9, CLONE_NEWUSER also automatically implies
CLONE_FS.
Does that cover your point? Or did you mean that more needs to be said?
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2014-09-11 14:47 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-20 23:36 For review: user_namespace(7) man page Michael Kerrisk (man-pages)
2014-08-20 23:36 ` Michael Kerrisk (man-pages)
[not found] ` <53F5310A.5080503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-08-22 21:12 ` Serge E. Hallyn
2014-08-22 21:12 ` Serge E. Hallyn
[not found] ` <20140822211215.GA26308-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2014-09-01 16:58 ` Michael Kerrisk (man-pages)
2014-09-01 16:58 ` Michael Kerrisk (man-pages)
2014-08-30 21:53 ` Eric W. Biederman
2014-08-30 21:53 ` Eric W. Biederman
[not found] ` <87d2bhfxvc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
[not found] ` <5404AD7F.4070004-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-02 1:05 ` Eric W. Biederman
2014-09-02 1:05 ` Eric W. Biederman
[not found] ` <87sikade6s.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <540F07FD.7010106-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 16:16 ` Eric W. Biederman
2014-09-09 16:16 ` Eric W. Biederman
[not found] ` <87bnqon513.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-01 17:31 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
[not found] ` <540F07C7.9000300-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 15:49 ` Eric W. Biederman
2014-09-09 15:49 ` Eric W. Biederman
[not found] ` <87sik0oktt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
2014-09-09 13:59 ` Michael Kerrisk (man-pages)
[not found] ` <540F07CD.3080708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 15:51 ` Eric W. Biederman
2014-09-09 15:51 ` Eric W. Biederman
[not found] ` <87oauookq2.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-11 14:40 ` Michael Kerrisk (man-pages)
2014-09-01 20:57 ` Andy Lutomirski
2014-09-01 20:57 ` Andy Lutomirski
[not found] ` <CALCETrX2qwvzmeoVcLFLxEK=1Fv+f0Ri0TouzzvbN_rgDjka4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
2014-09-09 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <540F0810.7030408-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-09 16:05 ` Eric W. Biederman
2014-09-09 16:05 ` Eric W. Biederman
[not found] ` <87ppf4n5ib.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-09 19:26 ` Andy Lutomirski
2014-09-09 19:26 ` Andy Lutomirski
[not found] ` <CALCETrV4WizRXD9JuwibUBbQE9hhNrRDJ3cYyXdhd=OfPziF5g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-09 19:39 ` Andy Lutomirski
2014-09-09 19:39 ` Andy Lutomirski
2014-09-11 14:47 ` Michael Kerrisk (man-pages) [this message]
2014-09-11 14:47 ` Michael Kerrisk (man-pages)
[not found] ` <5411B5F5.2090500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-11 15:15 ` Andy Lutomirski
2014-09-11 15:15 ` Andy Lutomirski
[not found] ` <CALCETrXOgCUrrzeJYJ6VoPgR5Rt0HFCrhRC0H7+3XLv1Y+sJ_A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-14 2:58 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
[not found] ` <5411B5D6.9010201-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-09-11 15:14 ` Andy Lutomirski
2014-09-11 15:14 ` Andy Lutomirski
[not found] ` <CALCETrV1EtrzfEhS55ToPD5VTbY9VjmmOA6bv2H9PGGQ-G=WGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
2014-09-14 2:42 ` Michael Kerrisk (man-pages)
2014-09-11 14:46 ` Michael Kerrisk (man-pages)
-- strict thread matches above, loose matches on Subject: below --
2014-08-20 23:36 Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5411B5F5.2090500@gmail.com \
--to=mtk.manpages-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.