From mboxrd@z Thu Jan 1 00:00:00 1970 From: Miklos Szeredi Subject: Re: [PATCH v5 3/4] fuse: Restrict allow_other to the superblock's namespace or a descendant Date: Tue, 11 Nov 2014 16:27:37 +0100 Message-ID: <20141111152737.GE333@tucsk> References: <1414013060-137148-1-git-send-email-seth.forshee@canonical.com> <1414013060-137148-4-git-send-email-seth.forshee@canonical.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "Eric W. Biederman" , "Serge H. Hallyn" , Andy Lutomirski , Michael j Theall , fuse-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org To: Seth Forshee Return-path: Content-Disposition: inline In-Reply-To: <1414013060-137148-4-git-send-email-seth.forshee@canonical.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Wed, Oct 22, 2014 at 04:24:19PM -0500, Seth Forshee wrote: > Unprivileged users are normally restricted from mounting with the > allow_other option by system policy, but this could be bypassed > for a mount done with user namespace root permissions. In such > cases allow_oth er should not allow users outside the userns > to access the mount as doing so would give the unprivileged user > the ability to manipulate processes it would otherwise be unable > to manipulate. Therefore access with allow_other should be > restricted to users in the userns as the superblock or a > descendant of that namespace. Fine. But aren't this kind of thing supposed to be prevented anyway by having private mount namespace coupled with the pid-user-whatever namespace? It seems like being a bit too careful (not to say that that's a bad thing). Thanks, Miklos