From: ebiederm@xmission.com (Eric W. Biederman)
To: Glauber Costa <glommer@parallels.com>
Cc: cgroups@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
mtk.manpages@gmail.com, Serge Hallyn <serge.hallyn@canonical.com>,
linux-fsdevel@vger.kernel.org,
containers@lists.linux-foundation.org,
Aristeu Rozanski <aris@redhat.com>
Subject: Re: [PATCH 3/4] fs: allow mknod in user namespaces
Date: Fri, 15 Mar 2013 13:43:10 -0700 [thread overview]
Message-ID: <87a9q4gzs1.fsf@xmission.com> (raw)
In-Reply-To: <1363338823-25292-4-git-send-email-glommer@parallels.com> (Glauber Costa's message of "Fri, 15 Mar 2013 13:13:42 +0400")
Glauber Costa <glommer@parallels.com> writes:
> Since we have strict control on who access the devices, it should be
> no problem to allow the device to appear.
Having cgroups or user namespaces grant privileges makes me uneasy.
With these patches it looks like I can do something evil like.
1. Create a devcgroup.
2. Put a process in it.
3. Create a usernamespace.
4. Run a container in that user namespace.
5. As an unprivileged user in that user namespace create another user namespace.
6. Call mknod and have it succeed.
Or in short I don't think this handles nested user namespaces at all.
With or without Serge's suggested change.
At a practical level now is not the right time to be granting more
permissions to user namespaces. Lately too many silly bugs have been
found in what is already there.
Eric
next prev parent reply other threads:[~2013-03-15 20:43 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-15 9:13 [PATCH 0/4] fix depvpts in user namespaces Glauber Costa
[not found] ` <1363338823-25292-1-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 9:13 ` [PATCH 1/4] dev_cgroup: keep track of which cgroup is the root cgroup Glauber Costa
[not found] ` <1363338823-25292-2-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:07 ` Serge Hallyn
2013-03-15 14:43 ` Glauber Costa
2013-03-15 14:55 ` Serge Hallyn
2013-03-15 19:27 ` Aristeu Rozanski
2013-03-15 9:13 ` [PATCH 2/4] fs: allow dev accesses in userns in controlled situations Glauber Costa
2013-03-15 14:20 ` Serge Hallyn
2013-03-15 9:13 ` [PATCH 3/4] fs: allow mknod in user namespaces Glauber Costa
[not found] ` <1363338823-25292-4-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:37 ` Serge Hallyn
2013-03-15 14:49 ` Glauber Costa
[not found] ` <51433511.1020808-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:14 ` Serge Hallyn
2013-03-15 18:03 ` Vasily Kulikov
2013-03-15 20:43 ` Eric W. Biederman [this message]
2013-03-16 0:23 ` Serge Hallyn
2013-03-15 9:13 ` [PATCH 4/4] devpts: fix usage " Glauber Costa
[not found] ` <1363338823-25292-5-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:45 ` Serge Hallyn
2013-03-15 10:26 ` [PATCH 0/4] fix depvpts " Eric W. Biederman
[not found] ` <87boalt0vi.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-15 12:01 ` Glauber Costa
2013-03-15 14:00 ` Serge Hallyn
2013-03-15 14:42 ` Glauber Costa
[not found] ` <5143333E.1040100-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:21 ` Serge Hallyn
2013-03-15 15:26 ` Glauber Costa
[not found] ` <51433DBE.9020109-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:58 ` Serge Hallyn
2013-03-15 16:01 ` Glauber Costa
2013-03-15 21:02 ` Eric W. Biederman
2013-03-18 3:20 ` Serge Hallyn
2013-03-18 21:23 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a9q4gzs1.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=aris@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=glommer@parallels.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge.hallyn@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox