From: "bfields@fieldses.org" <bfields@fieldses.org>
To: Trond Myklebust <trondmy@hammerspace.com>
Cc: "schumakeranna@gmail.com" <schumakeranna@gmail.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"dai.ngo@oracle.com" <dai.ngo@oracle.com>,
"steved@redhat.com" <steved@redhat.com>,
"olga.kornievskaia@gmail.com" <olga.kornievskaia@gmail.com>,
"chuck.lever@oracle.com" <chuck.lever@oracle.com>
Subject: Re: server-to-server copy by default
Date: Thu, 21 Oct 2021 10:38:08 -0400 [thread overview]
Message-ID: <20211021143808.GD25711@fieldses.org> (raw)
In-Reply-To: <aec219339d8296b7e9b114d9d247a71fd47423c5.camel@hammerspace.com>
On Thu, Oct 21, 2021 at 02:22:13PM +0000, Trond Myklebust wrote:
> Yes, that's mostly fixed. As far as I'm concerned, there should be no
> major obstacles to allowing unprivileged mounts in their own private
> net namespace.
Do you think it'd be a reasonable thing to turn on now by default in
distros or something the admin should have to opt-in to only on trusted
networks?
I'm wondering how much confidence we have in the client's robustness in
the face of possibly compromised servers.
> The one thing to note, though, is that AUTH_SYS still required that the
> container be given a CAP_NET_BIND_SERVICE privilege to allow binding to
> a privileged port.
Got it, thanks.
--b.
next prev parent reply other threads:[~2021-10-21 14:38 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-20 15:54 server-to-server copy by default J. Bruce Fields
2021-10-20 16:00 ` Chuck Lever III
2021-10-20 16:33 ` Olga Kornievskaia
2021-10-20 19:03 ` dai.ngo
2021-10-20 20:29 ` Bruce Fields
2021-10-21 5:00 ` dai.ngo
2021-10-21 14:02 ` Bruce Fields
2021-10-22 6:34 ` dai.ngo
2021-10-22 12:58 ` Bruce Fields
2021-11-01 17:37 ` dai.ngo
2021-11-01 19:33 ` Bruce Fields
2021-11-01 19:55 ` dai.ngo
2021-10-20 17:24 ` Steve Dickson
2021-10-20 17:51 ` Chuck Lever III
2021-10-20 16:37 ` Olga Kornievskaia
2021-10-20 17:45 ` Chuck Lever III
2021-10-20 18:15 ` Bruce Fields
2021-10-20 19:04 ` Chuck Lever III
2021-10-21 13:43 ` Steve Dickson
2021-10-21 13:56 ` Bruce Fields
2021-10-21 14:13 ` Bruce Fields
2021-10-21 14:22 ` Trond Myklebust
2021-10-21 14:38 ` bfields [this message]
2021-10-20 18:00 ` J. Bruce Fields
2021-11-01 18:22 ` Charles Hedrick
2021-11-01 19:25 ` Steve Dickson
2021-11-01 19:44 ` Charles Hedrick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211021143808.GD25711@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=dai.ngo@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=schumakeranna@gmail.com \
--cc=steved@redhat.com \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox