From: Seth Forshee <seth.forshee@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
fuse-devel@lists.sourceforge.net,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge H. Hallyn" <serge.hallyn@ubuntu.com>,
Seth Forshee <seth.forshee@canonical.com>
Subject: Re: [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns
Date: Thu, 16 Oct 2014 00:59:00 +0200 [thread overview]
Message-ID: <20141015225900.GC988@ubuntu-mba51> (raw)
In-Reply-To: <CALCETrXtHGzBbxFjZ_S3Zb0KkN1y6Uqm6CNkYSY37BLLcocFGw@mail.gmail.com>
On Wed, Oct 15, 2014 at 10:05:46AM -0700, Andy Lutomirski wrote:
> On Wed, Oct 15, 2014 at 8:05 AM, Seth Forshee
> <seth.forshee@canonical.com> wrote:
> > On Wed, Oct 15, 2014 at 07:49:39AM -0700, Andy Lutomirski wrote:
> >> On 10/14/2014 07:25 AM, Seth Forshee wrote:
> >> > Update fuse to translate uids and gids to/from the user namspace
> >> > of the process servicing requests on /dev/fuse. Any ids which do
> >> > not map into the namespace will result in errors. inodes will
> >> > also be marked bad when unmappable ids are received from
> >> > userspace.
> >> >
> >> > Due to security concerns the namespace used should be fixed,
> >> > otherwise a user might be able to gain elevated privileges or
> >> > influence processes that the user would otherwise be unable to
> >> > manipulate. Thus the namespace of the mounting process is used
> >> > for all translations, and this namespace is required to be the
> >> > same as the one in use when /dev/fuse was opened.
> >> >
> >>
> >> I'm not sure that this is necessary if my nosuid patch goes in, but I
> >> also don't think it makes any sense to hold this up while we find a
> >> perfect solution.
> >>
> >> Is there a decent way to extend this to different translation schemes in
> >> the future (e.g. a flag at fs setup that could be used)?
> >
> > I think it would be possible to relax the translation scheme
> > restrictions in the future, certainly that's easier than tightening down
> > a looser restriction. I still favor picking one namespace to use for
> > translation (surely that's how it would work with other filesystems
> > anyway) rather than using the current namespace during /dev/fuse I/O. I
> > did an implementation using the latter technique, and it's far more
> > complex with no benefits that I can see.
>
> Long term, I think we'll want more flexible translations for
> filesystems on removable media, even when both the mounter and the
> accessing process are in the init user namespace. But this can wait.
You've piqued my interest. What are you thinking of which would require
this flexibility?
Thanks,
Seth
next prev parent reply other threads:[~2014-10-15 22:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 14:25 [PATCH v4 0/5] fuse: Add support for mounts from pid/user namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2014-10-15 14:49 ` Andy Lutomirski
2014-10-15 15:05 ` Seth Forshee
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 22:59 ` Seth Forshee [this message]
2014-10-15 23:07 ` Andy Lutomirski
[not found] ` <CALCETrWuc8x60A9v9xSL1Jbk0ZgiXsL_o20wc0PyPDgO9g6BRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-15 23:24 ` Seth Forshee
[not found] ` <1413296756-25071-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2014-10-14 14:25 ` [PATCH v4 1/5] fuse: Add support for pid namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
[not found] ` <543E8BB3.6040701-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-10-15 15:11 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option Seth Forshee
2014-10-14 18:12 ` [fuse-devel] " Michael j Theall
2014-10-14 20:01 ` Eric W. Biederman
2014-10-14 20:59 ` Seth Forshee
2014-10-14 21:13 ` Eric W. Biederman
2014-10-14 21:19 ` Andy Lutomirski
2014-10-14 21:29 ` Eric W. Biederman
2014-10-15 7:39 ` Seth Forshee
2014-10-15 14:37 ` Andy Lutomirski
2014-10-21 21:21 ` Seth Forshee
2014-10-21 21:27 ` Andy Lutomirski
2014-10-21 21:34 ` Michael j Theall
2014-10-21 21:44 ` Andy Lutomirski
2014-10-22 4:58 ` Seth Forshee
2014-10-23 18:32 ` Andy Lutomirski
2014-10-23 21:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 5/5] fuse: Allow user namespace mounts Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
2014-10-15 15:20 ` Seth Forshee
2014-10-15 23:08 ` Andy Lutomirski
2014-10-15 23:07 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141015225900.GC988@ubuntu-mba51 \
--to=seth.forshee@canonical.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=miklos@szeredi.hu \
--cc=serge.hallyn@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).