From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: ebiederm@xmission.com, akpm@linux-foundation.org,
hch@infradead.org, viro@ZenIV.linux.org.uk,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: unprivileged mounts git tree
Date: Thu, 4 Sep 2008 13:49:16 -0500 [thread overview]
Message-ID: <20080904184916.GA19328@us.ibm.com> (raw)
In-Reply-To: <E1KbJBO-0003Xz-0G@pomaz-ex.szeredi.hu>
Quoting Miklos Szeredi (miklos@szeredi.hu):
> On Thu, 4 Sep 2008, Serge E. Hallyn wrote:
> > Quoting Miklos Szeredi (miklos@szeredi.hu):
> > > On Thu, 4 Sep 2008, Serge E. Hallyn wrote:
> > > > but you're still doing
> > > >
> > > > if (IS_MNT_SHARED(old_nd.path.mnt) && !capable(CAP_SYS_ADMIN))
> > > > goto out;
> > > >
> > > > shouldn't it be something like
> > > >
> > > > if (IS_MNT_SHARED(old_nd.path.mnt) && (old_nd.path.mnt & MNT_USER))
> > > > goto out;
> > > >
> > > > ?
> > >
> > > Why would that be an error? There's no real security gain to be had
> > > from restricting a privileged user, but could cause a lot of
> > > annoyance. If we think this is dangerous, then protection should be
> > > built into mount(8) with an option to override. But not into the
> > > kernel, IMO.
> >
> > We disagree on that. But can we agree that the check you added is wrong?
>
> No :)
>
> > There is no reason why a user mount should not be able to do shared
> > mounts, is there?
>
> I don't know. It's something to think about in the future, but not
> essential. We know that without the above check the user can do bad
> things: propagate mounts back into the source, and we don't want that.
When is propagating mounts back into the source bad? Because you are
not preventing it.
You are preventing future propagation back into the user's own mounts,
but not into mounts not owned by the user.
It's not right.
> We could allow binding a shared mount if
>
> a) the owners of the source and destination match
> b) the destination is made a slave of the source
Well that's what I've been saying...
> But the current patchset doesn't allow _any_ changes to propagation
> without CAP_SYS_ADMIN, so why should bind be an exception?
Because it's not a change in propagation among existing mounts, instead
it's defining propagation for the new user mounts. And since user
mounts don't currently exist, we're in no position to talk about
exceptions to existing behavior.
> And yes, this is something to think about, but I think it's a rather
> uncommon corner case, and so the patchset very much makes sense
> without having to deal with unprivileged mount propagation changes.
I'm willing to accept that if we simply leave the patchset as it was
before, but your new check just adds inconsistencies for absolutely zero
security gain.
> > So should the check above just go away then?
>
> No, we'd be back with the original problem.
We still have the original problem.
When root does
mount -bind /mnt /mnt
mount --make-rshared /mnt
mount --bind -o user=hallyn /mnt /home/hallyn/mnt
and hallyn does
mount --bind /usr /home/hallyn/mnt/usr
then the kernel happily propagates the mount to /mnt/usr.
Now if hallyn does
mount --bind /home/hallyn/mnt/usr /home/hallyn/mnt/usr2
THAT gives him a -EPERM.
To what end?
-serge
next prev parent reply other threads:[~2008-09-04 18:49 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-07 12:05 unprivileged mounts git tree Miklos Szeredi
2008-08-07 22:27 ` Serge E. Hallyn
2008-08-08 0:07 ` Eric W. Biederman
2008-08-08 0:25 ` Serge E. Hallyn
2008-08-25 11:01 ` Miklos Szeredi
2008-08-27 15:36 ` Serge E. Hallyn
2008-08-27 15:55 ` Miklos Szeredi
2008-08-27 18:46 ` Serge E. Hallyn
2008-09-03 18:45 ` Miklos Szeredi
2008-09-03 21:54 ` Serge E. Hallyn
2008-09-03 22:02 ` Serge E. Hallyn
2008-09-03 22:25 ` Miklos Szeredi
2008-09-03 22:43 ` Serge E. Hallyn
2008-09-04 6:42 ` Miklos Szeredi
2008-09-04 13:28 ` Serge E. Hallyn
2008-09-04 14:06 ` Miklos Szeredi
2008-09-04 15:40 ` Miklos Szeredi
2008-09-04 16:17 ` Serge E. Hallyn
2008-09-04 17:42 ` Miklos Szeredi
2008-09-04 17:48 ` Serge E. Hallyn
2008-09-04 18:03 ` Miklos Szeredi
2008-09-04 18:49 ` Serge E. Hallyn [this message]
2008-09-04 22:26 ` Miklos Szeredi
2008-09-04 23:32 ` Serge E. Hallyn
2008-09-05 15:31 ` Serge E. Hallyn
2008-09-09 13:34 ` Miklos Szeredi
2008-09-11 10:37 ` Eric W. Biederman
2008-09-11 14:43 ` Miklos Szeredi
2008-09-11 15:20 ` Serge E. Hallyn
2008-09-11 15:44 ` Miklos Szeredi
2008-09-11 18:54 ` Eric W. Biederman
2008-09-12 22:08 ` Serge E. Hallyn
2008-09-13 3:12 ` Eric W. Biederman
2008-09-14 1:56 ` Serge E. Hallyn
2008-09-14 3:06 ` Eric W. Biederman
2008-09-30 19:39 ` Serge E. Hallyn
2008-10-06 11:05 ` Miklos Szeredi
2008-09-11 19:04 ` Eric W. Biederman
2008-09-11 19:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080904184916.GA19328@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).