From: Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Miklos Szeredi <miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org>,
fuse-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
"Serge H. Hallyn"
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
linux-fsdevel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user
Date: Wed, 15 Oct 2014 17:11:00 +0200 [thread overview]
Message-ID: <20141015151100.GA988@ubuntu-mba51> (raw)
In-Reply-To: <543E8BB3.6040701-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
On Wed, Oct 15, 2014 at 07:58:59AM -0700, Andy Lutomirski wrote:
> On 10/14/2014 07:25 AM, Seth Forshee wrote:
> > Unprivileged users are normally restricted from mounting with the
> > allow_other option by system policy, but this could be bypassed
> > for a mount done with user namespace root permissions. In such
> > cases allow_other should not allow users outside the user
> > namespace to access the mount as doing so would give the
> > unprivileged user the ability to manipulate processes it would
> > otherwise be unable to manipulate.
>
> What threat is this intended to protect against? I think that, if this
> is needed, tasks outside the userns or its descendents should be
> blocked, even if the user ids match. That is, I think you should check
> the namespace, not the uid and gid.
allow_other is an existing option in fuse to protect against DoS
attacks against more privileged users by making file operations block
indefinitely. So this change makes it work the same way inside a user
namespace but only to users mapped into the namespace. Checking the
namespace does seem to make more sense, so I'll make that change.
Thanks,
Seth
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
next prev parent reply other threads:[~2014-10-15 15:11 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 14:25 [PATCH v4 0/5] fuse: Add support for mounts from pid/user namespaces Seth Forshee
[not found] ` <1413296756-25071-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2014-10-14 14:25 ` [PATCH v4 1/5] fuse: Add support for pid namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
[not found] ` <543E8BB3.6040701-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-10-15 15:11 ` Seth Forshee [this message]
2014-10-14 14:25 ` [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option Seth Forshee
2014-10-14 18:12 ` [fuse-devel] " Michael j Theall
2014-10-14 20:01 ` Eric W. Biederman
2014-10-14 20:59 ` Seth Forshee
2014-10-14 21:13 ` Eric W. Biederman
2014-10-14 21:19 ` Andy Lutomirski
2014-10-14 21:29 ` Eric W. Biederman
2014-10-15 7:39 ` Seth Forshee
2014-10-15 14:37 ` Andy Lutomirski
2014-10-21 21:21 ` Seth Forshee
2014-10-21 21:27 ` Andy Lutomirski
2014-10-21 21:34 ` Michael j Theall
2014-10-21 21:44 ` Andy Lutomirski
2014-10-22 4:58 ` Seth Forshee
2014-10-23 18:32 ` Andy Lutomirski
2014-10-23 21:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2014-10-15 14:49 ` Andy Lutomirski
2014-10-15 15:05 ` Seth Forshee
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 22:59 ` Seth Forshee
2014-10-15 23:07 ` Andy Lutomirski
[not found] ` <CALCETrWuc8x60A9v9xSL1Jbk0ZgiXsL_o20wc0PyPDgO9g6BRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-15 23:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 5/5] fuse: Allow user namespace mounts Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
2014-10-15 15:20 ` Seth Forshee
2014-10-15 23:08 ` Andy Lutomirski
2014-10-15 23:07 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141015151100.GA988@ubuntu-mba51 \
--to=seth.forshee-z7wlfzj8ewms+fvcfc7uqw@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=fuse-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).