From: Eric Van Hensbergen <ericvh@gmail.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
smfrench@austin.rr.com, hch@infradead.org
Subject: Re: [RCF] [PATCH] unprivileged mount/umount
Date: Wed, 4 May 2005 08:08:00 -0500 [thread overview]
Message-ID: <a4e6962a05050406086e3ab83b@mail.gmail.com> (raw)
In-Reply-To: <E1DSyQx-0002ku-00@dorka.pomaz.szeredi.hu>
On 5/3/05, Miklos Szeredi <miklos@szeredi.hu> wrote:
> This (lightly tested) patch against 2.6.12-rc* adds some
> infrastructure and basic functionality for unprivileged mount/umount
> system calls.
>
> Details:
>
> - new mnt_owner field in struct vfsmount
> - if mnt_owner is NULL, it's a privileged mount
> - global limit on unprivileged mounts in /proc/sys/fs/mount-max
> - per user limit of mounts in rlimit
I was starting down this track in my tree, but I'm glad you beat me to it ;).
Your initial limit (10) seems low if you consider binds as mounts. I
can easily see a user using more than 10 binds in an environment. As
Ram mentioned earlier - we are going to run into problems with the
shared-subtree stuff if propagations into private namespaces count as
a new mount. We need to think through how we are going to deal with
this.
> - allow umount for the owner (except force flag)
> - allow unprivileged bind mount to files/directories writable by owner
> - add nosuid,nodev flags to unprivileged mounts
>
> Next step would be to add some policy for new mounts. I'm thinking of
> either something static: e.g. FS_SAFE flag for "safe" filesystems, or
> a more configurable approach through sysfs or something.
>
I think the FS_SAFE stuff needs to be part of this patch. Folks made
a pretty good argument that mounting corrupted images with certain
file systems could be a really bad thing. I'm not sure on the whole
sysfs configurable approach -- it seems like more advanced policies
would be best handled in user-space.
My major complaint is that I really think having user mounts without
requiring them to be in a user's private namespace creates quite a
mess. It potentially pollutes the system's namespace and opens up the
possibility of all sorts of synthetic file system "traps". I'd rather
see the private namespace stuff enforced before enabling user-mounts.
-eric
next prev parent reply other threads:[~2005-05-04 13:08 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-03 14:31 [RCF] [PATCH] unprivileged mount/umount Miklos Szeredi
2005-05-03 17:30 ` Bill Davidsen
2005-05-04 13:08 ` Eric Van Hensbergen [this message]
2005-05-04 14:21 ` Miklos Szeredi
2005-05-04 14:51 ` Eric Van Hensbergen
2005-05-04 15:21 ` Miklos Szeredi
2005-05-11 8:51 ` Christoph Hellwig
2005-05-11 10:31 ` Miklos Szeredi
2005-05-12 21:08 ` Bryan Henderson
2005-05-13 5:47 ` Miklos Szeredi
2005-05-13 7:19 ` Jan Hudec
2005-05-13 8:33 ` Miklos Szeredi
2005-05-13 23:09 ` Bryan Henderson
2005-05-14 6:58 ` Miklos Szeredi
2005-05-16 18:35 ` Bryan Henderson
2005-05-14 11:49 ` Jamie Lokier
2005-05-04 13:47 ` Martin Waitz
2005-05-04 14:34 ` Miklos Szeredi
2005-05-11 8:53 ` Christoph Hellwig
2005-05-11 8:48 ` Christoph Hellwig
2005-05-11 10:20 ` Miklos Szeredi
2005-05-16 9:34 ` Christoph Hellwig
[not found] <406SQ-5P9-5@gated-at.bofh.it>
[not found] ` <40rNB-6p8-3@gated-at.bofh.it>
[not found] ` <40t37-7ol-5@gated-at.bofh.it>
[not found] ` <42VeB-8hG-3@gated-at.bofh.it>
[not found] ` <42WNo-1eJ-17@gated-at.bofh.it>
2005-05-11 16:41 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-05-11 17:07 ` Jamie Lokier
2005-05-11 18:49 ` Miklos Szeredi
2005-05-11 19:05 ` serue
2005-05-11 19:46 ` Bodo Eggert
2005-05-11 20:40 ` Miklos Szeredi
2005-05-11 21:11 ` Jamie Lokier
2005-05-12 3:05 ` serue
2005-05-11 19:35 ` Ram
2005-05-11 20:31 ` Miklos Szeredi
2005-05-11 21:28 ` Jamie Lokier
2005-05-11 22:42 ` Ram
2005-05-11 22:58 ` Eric Van Hensbergen
2005-05-12 1:02 ` Jamie Lokier
2005-05-12 2:18 ` Eric Van Hensbergen
2005-05-12 6:45 ` Jamie Lokier
2005-05-12 13:23 ` Eric Van Hensbergen
2005-05-12 13:47 ` serue
2005-05-12 15:16 ` Jamie Lokier
2005-05-12 12:51 ` serue
2005-05-12 18:51 ` Miklos Szeredi
2005-05-12 19:56 ` Jamie Lokier
2005-05-13 8:55 ` Miklos Szeredi
2005-05-13 1:10 ` Ram
2005-05-13 6:06 ` Miklos Szeredi
2005-05-13 7:25 ` Ram
2005-05-13 8:59 ` Ram
2005-05-13 9:10 ` Miklos Szeredi
2005-05-13 16:53 ` Ram
2005-05-13 17:14 ` Miklos Szeredi
2005-05-13 18:44 ` Alan Cox
2005-05-13 20:56 ` Bryan Henderson
2005-05-12 0:59 ` Jamie Lokier
2005-05-13 6:41 ` Ram
2005-05-11 21:09 ` Jamie Lokier
2005-05-11 21:20 ` Miklos Szeredi
2005-05-11 21:32 ` Jamie Lokier
2005-05-11 19:32 ` Bodo Eggert
2005-05-11 21:23 ` Jamie Lokier
2005-05-11 21:34 ` Miklos Szeredi
2005-05-11 21:36 ` Jamie Lokier
2005-05-12 3:08 ` serue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4e6962a05050406086e3ab83b@mail.gmail.com \
--to=ericvh@gmail.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=smfrench@austin.rr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.