From mboxrd@z Thu Jan 1 00:00:00 1970 From: Majkls Subject: Re: [patch 0/8] mount ownership and unprivileged mount syscall (v4) Date: Sat, 21 Apr 2007 10:30:28 +0200 Message-ID: <4629CBA4.8050409@tiscali.cz> References: <20070420102532.385211890@szeredi.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Cc: linux-fsdevel@vger.kernel.org To: Miklos Szeredi Return-path: Received: from prenet.prepere.com ([85.207.10.210]:1756 "EHLO prenet.prepere.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932286AbXDUI6J (ORCPT ); Sat, 21 Apr 2007 04:58:09 -0400 In-Reply-To: <20070420102532.385211890@szeredi.hu> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org > This patchset has now been bared to the "lowest common denominator" > that everybody can agree on. Or at least there weren't any objections > to this proposal. I would be very glad if this feature can be disabled on compilation. Because this feature is fine for desktops, but not for servers. Another user access to kernel = another security hole. I have mount without setuid on my server. I don't want user access to mount/umount. > > Andrew, please consider it for -mm. > > Thanks, > Miklos > ---- > > v3 -> v4: > > - simplify interface as much as possible, now only a single option > ("user=UID") is used to control everything > - no longer allow/deny mounting based on file/directory permissions, > that approach does not always make sense > > ---- > This patchset adds support for keeping mount ownership information in > the kernel, and allow unprivileged mount(2) and umount(2) in certain > cases. > > The mount owner has the following privileges: > > - unmount the owned mount > - create a submount under the owned mount > > The sysadmin can set the owner explicitly on mount and remount. When > an unprivileged user creates a mount, then the owner is automatically > set to the user. > > The following use cases are envisioned: > > 1) Private namespace, with selected mounts owned by user. > E.g. /home/$USER is a good candidate for allowing unpriv mounts and > unmounts within. > > 2) Private namespace, with all mounts owned by user and having the > "nosuid" flag. User can mount and umount anywhere within the > namespace, but suid programs will not work. > > 3) Global namespace, with a designated directory, which is a mount > owned by the user. E.g. /mnt/users/$USER is set up so that it is > bind mounted onto itself, and set to be owned by $USER. The user > can add/remove mounts only under this directory. > > The following extra security measures are taken for unprivileged > mounts: > > - usermounts are limited by a sysctl tunable > - force "nosuid,nodev" mount options on the created mount > > -- > - > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Miloslav "Majkls" Semler