Re: Upstream first policy - Eric W. Biederman

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>, Ingo Molnar <mingo@elte.hu>,
	James Morris <jmorris@namei.org>,
	linux-kernel@vger.kernel.org, Kyle McMartin <kyle@mcmartin.ca>,
	Alexander Viro <viro@ftp.linux.org.uk>
Subject: Re: Upstream first policy
Date: Mon, 08 Mar 2010 15:02:22 -0800	[thread overview]
Message-ID: <m1fx4apgch.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <alpine.LFD.2.00.1003081115280.3989@localhost.localdomain> (Linus Torvalds's message of "Mon\, 8 Mar 2010 11\:18\:33 -0800 \(PST\)")

Linus Torvalds <torvalds@linux-foundation.org> writes:

> On Mon, 8 Mar 2010, Alan Cox wrote:
>>
>> Quite untrue. I've actually *used* path based security systems (DEC10
>> ACLs) and for almost every case its brain-dead.
>> 
>> Imagine a world where this happened
>
> Alan, stop right there.
>
> You're making the same silly and incorrect mistake that Al did.
>
> Namely thinking that you have to have just one or the other.
>
> When you say "your /etc/passwd example is a special case", you are 
> admitting that there are two different cases, but then after that,  you 
> still don't see the whole point I'm trying to make.
>
> Let me try again:
>
>   THERE ARE DIFFERENT CASES
>
> That's the point. Just admit that, and then let the calm of "Ooh, there 
> are different kinds of circumstances that may want different kinds of 
> rules" permeate you.
>
> My whole (and only) argument is against the "only one way is correct" 
> mentality.


Reading through all of this it occurred to me there is a case where
path names are fundamentally important shows up for me all of the
time.  If pathnames were not fundamentally important we could apply
a patch like the one below and allow unprivileged users to unshare
the mount namespace and mount filesystems wherever.  There is nothing
fundamental about those operations that require root privileges except
that you are manipulating the pathnames of objects.

Unfortunately if we did that suid executables would become impossible
because they couldn't trust anything to start with.

Even little things like /lib64/ld-linux-x86-64.so are very special things
that you can't let just anyone change.

Eric


diff --git a/fs/namespace.c b/fs/namespace.c
index d69c06f..85ba785 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1650,10 +1650,6 @@ static int do_new_mount(struct path *path, char *type, int flags,
 	if (!type)
 		return -EINVAL;
 
-	/* we need capabilities... */
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	lock_kernel();
 	mnt = do_kern_mount(type, flags, name, data);
 	unlock_kernel();
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 1e8cda0..00fd7c5 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -180,9 +180,6 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 			       CLONE_NEWNET | CLONE_NEWPID)))
 		return 0;
 
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	*new_nsp = create_new_namespaces(unshare_flags, current,
 				new_fs ? new_fs : current->fs);
 	if (IS_ERR(*new_nsp)) {

next prev parent reply	other threads:[~2010-03-08 23:02 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-07 21:23 Upstream first policy James Morris
2010-03-07 21:31 ` Linus Torvalds
2010-03-07 21:36   ` Linus Torvalds
2010-03-08  9:46 ` Ingo Molnar
2010-03-08 17:30   ` Alan Cox
2010-03-08 18:08     ` Linus Torvalds
2010-03-08 18:45       ` Al Viro
2010-03-08 18:53         ` Al Viro
2010-03-08 18:59         ` Linus Torvalds
2010-03-08 19:15           ` Linus Torvalds
2010-03-08 19:17           ` Alan Cox
2010-03-08 19:32             ` Linus Torvalds
2010-03-09  0:48               ` Kyle McMartin
2010-03-08 21:20             ` Chris Adams
2010-03-08 19:18           ` Al Viro
2010-03-09  1:18           ` Luca Barbieri
2010-03-09  1:25             ` Al Viro
2010-03-09  1:51               ` Luca Barbieri
2010-03-09  1:55                 ` Al Viro
2010-03-09  2:09                   ` Luca Barbieri
2010-03-08 19:08       ` Alan Cox
2010-03-08 19:18         ` Linus Torvalds
2010-03-08 19:27           ` Alan Cox
2010-03-08 19:34             ` Linus Torvalds
2010-03-09  7:29               ` Ingo Molnar
2010-03-09  8:46                 ` Dave Airlie
2010-03-09 14:58                   ` Ulrich Drepper
2010-03-08 23:02           ` Eric W. Biederman [this message]
2010-03-08 23:18             ` Eric Paris
2010-03-09 15:16               ` Florian Mickler
2010-03-09 22:49             ` Alan Cox
2010-03-11  3:52               ` Eric W. Biederman
2010-03-08 22:12       ` Ulrich Drepper
2010-03-08 23:12         ` Eric Paris
2010-03-08 23:21           ` Linus Torvalds
2010-03-08 23:18       ` Rik van Riel
2010-03-08 23:37         ` Linus Torvalds
2010-03-08 23:51           ` Rik van Riel
2010-03-09  0:10             ` Linus Torvalds
2010-03-09  3:26               ` Casey Schaufler
2010-03-09  3:58                 ` Linus Torvalds
2010-03-09 13:09                   ` Samir Bellabes
2010-03-09  0:15           ` Al Viro
2010-03-09  0:48             ` Al Viro
2010-03-09  1:49               ` Linus Torvalds
2010-03-09  2:05                 ` Al Viro
2010-03-09  2:18                   ` Linus Torvalds
2010-03-23 13:59     ` Pavel Machek
     [not found] <elwcV-406-1@gated-at.bofh.it>
     [not found] ` <elHL4-42q-5@gated-at.bofh.it>
     [not found]   ` <elP5U-6Ku-29@gated-at.bofh.it>
     [not found]     ` <elPyV-7zE-7@gated-at.bofh.it>
     [not found]       ` <elQbE-8ll-7@gated-at.bofh.it>
     [not found]       ` <elQv0-vu-13@gated-at.bofh.it>
     [not found]         ` <elQEG-Hn-33@gated-at.bofh.it>
2010-03-08 19:40           ` James Kosin
  -- strict thread matches above, loose matches on Subject: below --
2010-03-04 18:39 [git pull] drm request 3 Jesse Barnes
2010-03-04 18:51 ` Linus Torvalds
2010-03-04 18:56   ` Jesse Barnes
2010-03-04 19:08     ` Linus Torvalds
2010-03-04 19:25       ` Dave Airlie
2010-03-04 20:01         ` Linus Torvalds
2010-03-04 22:06           ` Dave Airlie
2010-03-05  0:08             ` Linus Torvalds
2010-03-05  0:28               ` Ben Skeggs
2010-03-05  0:41                 ` Linus Torvalds
2010-03-05  1:19                   ` Upstream first policy Kyle McMartin
2010-03-05  1:28                     ` Linus Torvalds

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d69c06f dfblob:85ba785 dfblob:1e8cda0 dfblob:00fd7c5 )
 OR (
bs:"Re: Upstream first policy" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m1fx4apgch.fsf@fess.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=jmorris@namei.org \
    --cc=kyle@mcmartin.ca \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ftp.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.