From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Hudec Subject: Mount bind filehandle (Was: Re: [RFC][2.6 patch] Allow creation of new namespaces during mount system call) Date: Thu, 21 Apr 2005 09:33:20 +0200 Message-ID: <20050421073320.GA335@vagabond> References: <20050419222324.GM13052@parcelfarce.linux.theplanet.co.uk> <20050420033304.GO13052@parcelfarce.linux.theplanet.co.uk> <20050420094558.GB10167@mail.shareable.org> <20050420102711.GR13052@parcelfarce.linux.theplanet.co.uk> <20050420120340.GC10167@mail.shareable.org> <20050420123945.GS13052@parcelfarce.linux.theplanet.co.uk> <1114015886.4920.120.camel@localhost> <20050420170921.GT13052@parcelfarce.linux.theplanet.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Cc: Ram , Jamie Lokier , Eric Van Hensbergen , linux-fsdevel@vger.kernel.org Return-path: Received: from cimice4.lam.cz ([212.71.168.94]:56780 "EHLO vagabond.light.src") by vger.kernel.org with ESMTP id S261495AbVDUHyF (ORCPT ); Thu, 21 Apr 2005 03:54:05 -0400 To: Al Viro Content-Disposition: inline In-Reply-To: <20050420170921.GT13052@parcelfarce.linux.theplanet.co.uk> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 20, 2005 at 18:09:21 +0100, Al Viro wrote: > On Wed, Apr 20, 2005 at 09:51:26AM -0700, Ram wrote: > > Reading through the thread I assume the requirement is: > >=20 > > 1) A User being able to create his own VFS-mount environment=20 > > 2) being able to use the same VFS-mount environment from=20 > > multiple login sessions. > > 3) Being able to switch some processes to some other > > VFS-mount environment. >=20 > Excuse me, but could somebody give coherent rationale for such requiremen= ts? > _Especially_ for joining existing group by completely unrelated process - > something we don't do for any other component of process. I think I can. And I think I can modify the proposal to something a bit more sane. The problem is: The mount should be accessible only by processes started by the authorized user, but not by other user, including root, who is capable of changing their uid to the authorized user's id. The solution can be: The mount is only accessible to the process group of that user's session. That's easy -- the login process is created with new namespace. Now how to allow the user to have that mountpoint accessible from all sessions? Well, we can already pass open file descriptor to files inside that mount to unrelated processes along unix domain sockets. So what is left is being able to mount --bind a directory by it's filehandle (since it does not have a path in our namespace). This allows creating a "mount-agent", that would work similar to ssh-agnet or gpg-agent, but instead of passing secret keys, it would pass descriptors to that user's mount roots and it's client would bind them. This agent can do whatever authentication is deemed appropriate for that mountpoint. Note however, that it's really hard to protect something against root, because root can ptrace any process. Well, being able to mount bind file descriptor might be useful for other purposes as well and should not be hard to do. Unless you or somebody finds a security problem with it, but I don't see any. Process having a directory handle can chdir there anyway, so this does not add it extra access. ---------------------------------------------------------------------------= ---- Jan 'Bulb' Hudec --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCZ1c/Rel1vVwhjGURAhmlAKCaYPVmtesUNxY/vmuFAg4n2S/PwACfT6qf emgu2615cs5fFd86c+a78/A= =YYVE -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--