From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Andrey Vagin <avagin@openvz.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"W. Trevor King" <wking@tremily.us>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jonathan Corbet <corbet@lwn.net>,
Andrei Vagin <avagin@virtuozzo.com>
Subject: Re: [PATCH 0/2] Add further ioctl() operations for namespace discovery
Date: Thu, 22 Dec 2016 23:28:39 +1300 [thread overview]
Message-ID: <87vauc9s14.fsf@xmission.com> (raw)
In-Reply-To: <142285b7-225b-fd15-3c8e-9ae2d02e82b5@gmail.com> (Michael Kerrisk's message of "Thu, 22 Dec 2016 08:20:33 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> On 12/22/2016 01:27 AM, Eric W. Biederman wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> Hi Eric,
>>>
>>> On 12/21/2016 01:17 AM, Eric W. Biederman wrote:
>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>
>>>>> Hi Eric,
>>>>>
>>>>> On 12/20/2016 09:22 PM, Eric W. Biederman wrote:
>>>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>>>
>>>>>>> Hello Eric,
>>>>>>>
>>>>>>> On 12/19/2016 11:53 PM, Eric W. Biederman wrote:
>>>>>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>>>>>
>>
>>>> Now the question becomes who are the users of this? Because it just
>>>> occurred to me that we now have an interesting complication. Userspace
>>>> extending the meaning of the capability bits, and using to protect
>>>> additional things. Ugh. That could be a maintenance problem of another
>>>> flavor. Definitely not my favorite.
>>>
>>> I don't follow you here. Could you say some more about what you mean?
>>
>> I have seen user space userspace do thing such as extend CAP_SYS_REBOOT
>> to things such as permission to invoke "shutdown -r now". Which
>> depending on what a clean reboot entails could be greately increasing
>> the scope of CAP_SYS_REBOOT.
>>
>> I am concerned for that and similar situations that userspace
>> applications could lead us into situation that one wrong decision could
>> wind up being an unfixable mistake because fixing the mistake would
>> break userspsace.
>
> Okay.
>
>>>> So why are we asking the questions about what permissions a process has?
>>>
>>> My main interest here is monitoring/discovery/debugging on a running
>>> system. NS_GET_PARENT, NS_GET_USERNS, NS_GET_CREATOR_UID, and
>>> NS_GET_NSTYPE provide most of what I'd like to see. Being able to ask
>>> "does this process have permissions in that namespace?" would be nice
>>> to have in terms of understanding/debugging a system.
>>
>> If we are just looking at explanations then I seem to have been
>> over-engineering things. So let's just aim at the two ioctls.
>> Or at least the information in those ioctls.
>
> Okay.
>
>> With at least a comment on the ioctl returning the OWNER_UID that
>> describes why it is not a problem to if the owners uid is something like
>> ((uid_t)-3). Which overlaps with the space for error return codes.
>>
>> I don't know if we are fine or not, but that review comment definitely
>> deserves some consideration.
>
>
> See my reply just sent to Andrei. We should instead then just return
> the UID via a buffer pointed to by the ioctl() argument:
>
> ioctl(fd, NS_GET_OWNER_UID, &uid);
That will work without problem. Especially as unsigned int is the same
on both 32bit and 64bit so we won't need a compat ioctl.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Andrey Vagin <avagin@openvz.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"W. Trevor King" <wking@tremily.us>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jonathan Corbet <corbet@lwn.net>,
Andrei Vagin <avagin@virtuozzo.com>
Subject: Re: [PATCH 0/2] Add further ioctl() operations for namespace discovery
Date: Thu, 22 Dec 2016 23:28:39 +1300 [thread overview]
Message-ID: <87vauc9s14.fsf@xmission.com> (raw)
In-Reply-To: <142285b7-225b-fd15-3c8e-9ae2d02e82b5@gmail.com> (Michael Kerrisk's message of "Thu, 22 Dec 2016 08:20:33 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> On 12/22/2016 01:27 AM, Eric W. Biederman wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> Hi Eric,
>>>
>>> On 12/21/2016 01:17 AM, Eric W. Biederman wrote:
>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>
>>>>> Hi Eric,
>>>>>
>>>>> On 12/20/2016 09:22 PM, Eric W. Biederman wrote:
>>>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>>>
>>>>>>> Hello Eric,
>>>>>>>
>>>>>>> On 12/19/2016 11:53 PM, Eric W. Biederman wrote:
>>>>>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>>>>>
>>
>>>> Now the question becomes who are the users of this? Because it just
>>>> occurred to me that we now have an interesting complication. Userspace
>>>> extending the meaning of the capability bits, and using to protect
>>>> additional things. Ugh. That could be a maintenance problem of another
>>>> flavor. Definitely not my favorite.
>>>
>>> I don't follow you here. Could you say some more about what you mean?
>>
>> I have seen user space userspace do thing such as extend CAP_SYS_REBOOT
>> to things such as permission to invoke "shutdown -r now". Which
>> depending on what a clean reboot entails could be greately increasing
>> the scope of CAP_SYS_REBOOT.
>>
>> I am concerned for that and similar situations that userspace
>> applications could lead us into situation that one wrong decision could
>> wind up being an unfixable mistake because fixing the mistake would
>> break userspsace.
>
> Okay.
>
>>>> So why are we asking the questions about what permissions a process has?
>>>
>>> My main interest here is monitoring/discovery/debugging on a running
>>> system. NS_GET_PARENT, NS_GET_USERNS, NS_GET_CREATOR_UID, and
>>> NS_GET_NSTYPE provide most of what I'd like to see. Being able to ask
>>> "does this process have permissions in that namespace?" would be nice
>>> to have in terms of understanding/debugging a system.
>>
>> If we are just looking at explanations then I seem to have been
>> over-engineering things. So let's just aim at the two ioctls.
>> Or at least the information in those ioctls.
>
> Okay.
>
>> With at least a comment on the ioctl returning the OWNER_UID that
>> describes why it is not a problem to if the owners uid is something like
>> ((uid_t)-3). Which overlaps with the space for error return codes.
>>
>> I don't know if we are fine or not, but that review comment definitely
>> deserves some consideration.
>
>
> See my reply just sent to Andrei. We should instead then just return
> the UID via a buffer pointed to by the ioctl() argument:
>
> ioctl(fd, NS_GET_OWNER_UID, &uid);
That will work without problem. Especially as unsigned int is the same
on both 32bit and 64bit so we won't need a compat ioctl.
Eric
next prev parent reply other threads:[~2016-12-22 10:28 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-19 14:38 [PATCH 0/2] Add further ioctl() operations for namespace discovery Michael Kerrisk (man-pages)
2016-12-19 14:38 ` Michael Kerrisk (man-pages)
[not found] ` <0e229ec4-e3fc-dd46-c5b9-3afa0f14bfcd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-19 22:53 ` Eric W. Biederman
2016-12-19 22:53 ` Eric W. Biederman
[not found] ` <87bmw7pm31.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-12-20 15:35 ` Michael Kerrisk (man-pages)
2016-12-20 15:35 ` Michael Kerrisk (man-pages)
[not found] ` <65dd9028-8aa8-123e-ddff-807c44079a50-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-12-20 20:22 ` Eric W. Biederman
2016-12-20 20:22 ` Eric W. Biederman
[not found] ` <878trae4g6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-12-20 20:55 ` Michael Kerrisk (man-pages)
2016-12-20 20:55 ` Michael Kerrisk (man-pages)
2016-12-21 0:17 ` Eric W. Biederman
2016-12-21 0:17 ` Eric W. Biederman
2016-12-21 9:53 ` Michael Kerrisk (man-pages)
2016-12-22 0:27 ` Eric W. Biederman
2016-12-22 0:27 ` Eric W. Biederman
2016-12-22 7:20 ` Michael Kerrisk (man-pages)
2016-12-22 10:28 ` Eric W. Biederman [this message]
2016-12-22 10:28 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vauc9s14.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=avagin@openvz.org \
--cc=avagin@virtuozzo.com \
--cc=corbet@lwn.net \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wking@tremily.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.