From: Jamie Lokier <jamie@shareable.org>
To: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
hch@infradead.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, akpm@osdl.org
Subject: Re: [PATCH] private mounts
Date: Sun, 24 Apr 2005 22:38:22 +0100 [thread overview]
Message-ID: <20050424213822.GB9304@mail.shareable.org> (raw)
In-Reply-To: <20050424210616.GM13052@parcelfarce.linux.theplanet.co.uk>
Al Viro wrote:
> > > I believe the point is:
> > >
> > > 1. Person is logged from client Y to server X, and mounts something on
> > > $HOME/mnt/private (that's on X).
> > >
> > > 2. On client Y, person does "scp X:mnt/private/secrets.txt ."
> > > and wants it to work.
> > >
> > > The second operation is a separate login to the first.
> >
> > Solution?
>
> ... is the same as for the same question with "set of mounts" replaced
> with "environment variables".
Not quite.
After changing environment variables in .profile, you can copy them to
other shells using ". ~/.profile".
There is no analogous mechanism to copy namespaces.
I agree with you that Miklos' patch is not the right way to do it.
Much better is the proposal to make namespaces first-class objects,
that can be switched to. Then users can choose to have themselves a
namespace containing their private mounts, if they want it, with
login/libpam or even a program run from .profile switching into it.
While users can be allowed to create their own namespaces which affect
the path traversal of their _own_ directories, it's important that the
existence of such namespaces cannot affect path traversal of other
directories such as /etc, or /autofs/whatever - and that creation of
namespaces by a user cannot prevent the unmounting of a non-user
filesystem either.
The way to do that is shared subtrees, or something along those lines.
Here is one possible implementation:
As far as I can tell, namespaces are equivalent to predicates attached
to every mount - the predicate being "this mount intercepts path
traversal at this point if current namespace == X".
It makes sense, when users can create namespaces for themselves, that
the predicate be changed to "this mount valid if [list of current
namespace and all parent namespaces] contains X". Parent namespace
means the namespace from which a CLONE_NS namespace inherits.
Then it would be safe (i.e. secure) to allow ordinary users to use
CLONE_NS for the purpose of establishing private namespace(s), within
which they can mount things on directories they own. But those users
would continue to see mounts & unmounts done by the system in other
directories such as /mnt and /autofs. Effectively this confines the
new namespace to only affecting directories owned by the user.
That would work properly with suid programs, properly with autofs and
also manual system-wide administration, and it is general enough that
it doesn't force any particular policy. Also, it would be usable for
partial sharing of resources in virtual server and chroot scenarios.
What's not to like? :)
-- Jamie
next prev parent reply other threads:[~2005-04-24 21:38 UTC|newest]
Thread overview: 178+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-24 20:08 [PATCH] private mounts Miklos Szeredi
2005-04-24 20:13 ` Al Viro
2005-04-24 20:45 ` Miklos Szeredi
2005-04-24 20:18 ` Christoph Hellwig
2005-04-24 20:50 ` Miklos Szeredi
2005-04-24 20:54 ` Al Viro
2005-04-24 20:59 ` Miklos Szeredi
2005-04-24 21:06 ` Christoph Hellwig
2005-04-24 21:12 ` Jamie Lokier
2005-04-24 21:06 ` Al Viro
2005-04-24 21:15 ` Miklos Szeredi
2005-04-24 21:19 ` Al Viro
2005-04-24 21:29 ` Miklos Szeredi
2005-04-24 21:39 ` Jamie Lokier
2005-04-25 7:10 ` Jan Hudec
2005-04-25 9:58 ` Miklos Szeredi
2005-04-25 11:45 ` Jan Hudec
2005-04-30 8:35 ` Christoph Hellwig
2005-04-30 9:25 ` Miklos Szeredi
2005-04-30 9:42 ` Jamie Lokier
2005-04-30 10:14 ` Miklos Szeredi
2005-04-30 14:36 ` Jamie Lokier
2005-04-30 15:59 ` Miklos Szeredi
2005-04-30 16:42 ` Jamie Lokier
2005-04-30 17:07 ` Miklos Szeredi
2005-04-30 18:20 ` Olivier Galibert
2005-04-30 23:58 ` Jamie Lokier
2005-05-01 2:39 ` Ram
2005-04-30 23:54 ` Jamie Lokier
2005-05-01 5:56 ` Miklos Szeredi
2005-05-01 6:39 ` Miklos Szeredi
2005-05-01 15:41 ` Eric Van Hensbergen
2005-05-11 9:00 ` Christoph Hellwig
2005-05-11 10:42 ` Miklos Szeredi
2005-04-24 21:43 ` Jamie Lokier
2005-04-25 7:14 ` Jan Hudec
2005-04-27 9:14 ` Helge Hafting
2005-04-25 9:48 ` Olivier Galibert
2005-04-25 16:37 ` Tim Hockin
2005-04-30 8:37 ` Christoph Hellwig
2005-04-25 21:09 ` Bryan Henderson
2005-04-26 13:46 ` filesystem transactions API Ville Herva
2005-04-26 14:14 ` Jamie Lokier
2005-04-26 14:22 ` Artem B. Bityuckiy
2005-04-26 14:32 ` Jamie Lokier
2005-04-26 14:46 ` Artem B. Bityuckiy
2005-04-26 15:19 ` Jamie Lokier
2005-04-26 15:01 ` John Stoffel
2005-04-26 15:12 ` Lars Marowsky-Bree
2005-04-26 15:19 ` Trond Myklebust
2005-04-26 15:29 ` Ritesh Kumar
2005-04-26 15:50 ` Jamie Lokier
2005-04-26 16:44 ` Trond Myklebust
2005-04-26 22:44 ` Bryan Henderson
2005-04-26 15:47 ` Jamie Lokier
2005-04-26 15:51 ` Artem B. Bityuckiy
2005-04-26 15:56 ` Jamie Lokier
2005-04-26 16:01 ` Artem B. Bityuckiy
2005-04-27 9:14 ` Jan Hudec
2005-04-26 15:24 ` Jamie Lokier
2005-04-26 17:22 ` Diego Calleja
2005-04-26 17:38 ` Jamie Lokier
2005-04-27 9:34 ` Jan Hudec
2005-04-27 13:43 ` Ville Herva
2005-04-27 15:17 ` Jamie Lokier
2005-04-26 15:40 ` Charles P. Wright
2005-04-26 16:07 ` Artem B. Bityuckiy
2005-04-26 17:22 ` Charles P. Wright
2005-04-27 9:37 ` Lars Marowsky-Bree
2005-04-27 13:36 ` Andi Kleen
2005-04-26 14:25 ` Trond Myklebust
2005-04-24 21:38 ` Jamie Lokier [this message]
2005-04-24 22:20 ` [PATCH] private mounts Ram
2005-04-24 22:22 ` Jamie Lokier
2005-04-25 6:00 ` Miklos Szeredi
2005-04-25 6:41 ` Ram
2005-04-25 9:55 ` Miklos Szeredi
2005-04-25 7:22 ` Jan Hudec
2005-04-25 10:08 ` Miklos Szeredi
2005-04-25 15:20 ` Pavel Machek
2005-04-25 19:07 ` Jamie Lokier
2005-04-26 9:29 ` Pavel Machek
2005-04-26 14:07 ` Jamie Lokier
2005-04-28 13:28 ` Eric Van Hensbergen
2005-04-28 19:22 ` Jamie Lokier
2005-04-28 13:47 ` Eric Van Hensbergen
2005-04-28 19:20 ` Jamie Lokier
2005-04-28 19:39 ` Ram
2005-04-28 22:08 ` Jamie Lokier
2005-04-29 7:57 ` Ram
2005-04-29 14:13 ` Miklos Szeredi
2005-04-29 14:42 ` Jamie Lokier
2005-04-29 14:50 ` Question about current->namespace and check_mnt() Jamie Lokier
2005-04-30 8:33 ` [PATCH] private mounts Christoph Hellwig
2005-04-30 16:47 ` Ram
[not found] <3WVU1-2GE-7@gated-at.bofh.it>
[not found] ` <3WWn1-2ZC-5@gated-at.bofh.it>
[not found] ` <3WWn1-2ZC-3@gated-at.bofh.it>
[not found] ` <3WWwR-3hT-35@gated-at.bofh.it>
[not found] ` <3WWwU-3hT-49@gated-at.bofh.it>
[not found] ` <3WWGj-3nm-3@gated-at.bofh.it>
[not found] ` <3WWQ9-3uA-15@gated-at.bofh.it>
[not found] ` <3WWZG-3AC-7@gated-at.bofh.it>
[not found] ` <3X630-2qD-21@gated-at.bofh.it>
[not found] ` <3X8HA-4IH-15@gated-at.bofh.it>
[not found] ` <3Xagd-5Wb-1@gated-at.bofh.it>
2005-04-25 15:17 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-25 16:18 ` Ram
2005-04-25 19:10 ` Jamie Lokier
2005-04-26 9:16 ` Miklos Szeredi
2005-04-26 9:19 ` Christoph Hellwig
2005-04-26 9:22 ` Miklos Szeredi
2005-04-26 9:36 ` Christoph Hellwig
2005-04-26 9:41 ` Miklos Szeredi
2005-04-26 9:47 ` Christoph Hellwig
2005-04-26 9:53 ` Miklos Szeredi
2005-04-26 9:56 ` Christoph Hellwig
2005-04-26 10:01 ` Miklos Szeredi
2005-04-26 10:09 ` Christoph Hellwig
2005-04-26 12:08 ` Miklos Szeredi
2005-04-26 10:02 ` Christoph Hellwig
2005-04-26 13:19 ` Pavel Machek
2005-04-26 13:28 ` Miklos Szeredi
2005-04-26 20:14 ` Pavel Machek
2005-04-27 8:49 ` Miklos Szeredi
2005-04-27 9:24 ` Pavel Machek
2005-04-27 10:42 ` Miklos Szeredi
2005-04-27 11:57 ` Jan Hudec
2005-04-27 12:23 ` Miklos Szeredi
2005-04-27 12:39 ` Jan Hudec
2005-04-27 13:22 ` Miklos Szeredi
2005-04-27 14:40 ` Jamie Lokier
2005-04-27 14:58 ` Pavel Machek
2005-04-27 23:21 ` Trond Myklebust
2005-04-28 8:24 ` Pavel Machek
2005-04-28 8:28 ` Miklos Szeredi
2005-04-28 11:35 ` Trond Myklebust
2005-04-28 17:58 ` Bryan Henderson
2005-04-28 19:46 ` Trond Myklebust
2005-04-28 22:38 ` Bryan Henderson
2005-04-29 0:35 ` Trond Myklebust
2005-04-27 14:31 ` Jamie Lokier
2005-04-27 14:46 ` Miklos Szeredi
2005-04-27 14:55 ` Miklos Szeredi
2005-04-27 15:33 ` Martin Mares
2005-04-27 15:50 ` Lars Marowsky-Bree
2005-04-27 16:46 ` Martin Mares
2005-04-27 17:38 ` Miklos Szeredi
2005-04-27 17:54 ` Martin Mares
2005-04-27 18:05 ` Miklos Szeredi
2005-04-27 18:25 ` Martin Mares
2005-04-27 18:42 ` Miklos Szeredi
2005-04-28 13:08 ` Pavel Machek
2005-04-28 19:41 ` Miklos Szeredi
2005-04-28 20:21 ` Pavel Machek
2005-04-27 17:33 ` Miklos Szeredi
2005-04-27 17:39 ` Ram
2005-04-27 17:47 ` Miklos Szeredi
2005-04-27 17:55 ` Ram
2005-04-27 18:09 ` Miklos Szeredi
2005-04-27 19:40 ` Ram
2005-04-27 20:03 ` Miklos Szeredi
2005-04-27 21:38 ` Ram
2005-04-28 7:00 ` Miklos Szeredi
2005-04-28 19:30 ` Ram
2005-04-27 20:55 ` Bill Davidsen
2005-04-28 7:24 ` Miklos Szeredi
[not found] ` <20050427174641.GZ4431@marowsky-bree.de>
2005-04-27 17:52 ` Miklos Szeredi
2005-04-26 10:00 ` Andrew Morton
2005-04-26 10:04 ` Christoph Hellwig
2005-04-26 10:14 ` Andrew Morton
2005-04-26 10:38 ` Christoph Hellwig
2005-04-26 13:05 ` Eric Van Hensbergen
2005-04-26 14:14 ` Miklos Szeredi
2005-04-26 15:01 ` Eric Van Hensbergen
2005-04-26 18:55 ` Bryan Henderson
2005-04-26 9:30 ` Martin Mares
2005-04-25 19:02 ` Bryan Henderson
2005-04-26 8:58 ` Jan Hudec
2005-04-26 11:48 ` Bodo Eggert
2005-04-26 17:10 ` Bryan Henderson
2005-04-26 20:08 ` Bodo Eggert
2005-04-26 22:07 ` Bryan Henderson
2005-04-27 8:18 ` Bodo Eggert
2005-04-25 19:03 ` Jamie Lokier
2005-04-26 9:05 ` Jan Hudec
2005-04-26 11:46 ` Bodo Eggert
-- strict thread matches above, loose matches on Subject: below --
2005-05-10 18:28 Nir Tzachar
2005-05-10 19:15 ` Jan Hudec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050424213822.GB9304@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@osdl.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).