From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Hellwig Subject: Re: Mount bind filehandle (Was: Re: [RFC][2.6 patch] Allow creation of new namespaces during mount system call) Date: Thu, 21 Apr 2005 09:09:01 +0100 Message-ID: <20050421080901.GA17629@infradead.org> References: <20050419222324.GM13052@parcelfarce.linux.theplanet.co.uk> <20050420033304.GO13052@parcelfarce.linux.theplanet.co.uk> <20050420094558.GB10167@mail.shareable.org> <20050420102711.GR13052@parcelfarce.linux.theplanet.co.uk> <20050420120340.GC10167@mail.shareable.org> <20050420123945.GS13052@parcelfarce.linux.theplanet.co.uk> <1114015886.4920.120.camel@localhost> <20050420170921.GT13052@parcelfarce.linux.theplanet.co.uk> <20050421073320.GA335@vagabond> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Al Viro , Ram , Jamie Lokier , Eric Van Hensbergen , linux-fsdevel@vger.kernel.org Return-path: Received: from pentafluge.infradead.org ([213.146.154.40]:30122 "EHLO pentafluge.infradead.org") by vger.kernel.org with ESMTP id S261550AbVDUIJQ (ORCPT ); Thu, 21 Apr 2005 04:09:16 -0400 To: Jan Hudec Content-Disposition: inline In-Reply-To: <20050421073320.GA335@vagabond> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Thu, Apr 21, 2005 at 09:33:20AM +0200, Jan Hudec wrote: > I think I can. And I think I can modify the proposal to something a bit > more sane. > > The problem is: The mount should be accessible only by processes started > by the authorized user, but not by other user, including root, who is > capable of changing their uid to the authorized user's id. > > The solution can be: The mount is only accessible to the process group > of that user's session. That's easy -- the login process is created > with new namespace. That doesn't make sense. A process with sufficient capabilities (aka root) can do things including reading or modifying kernel memory and can access your namespace always, no matter how difficult you're trying to make it.