From: Brian Foster <bfoster@redhat.com>
To: Dwight Engen <dwight.engen@oracle.com>
Cc: "Eric W. Biederman" <ebiederm@gmail.com>, xfs@oss.sgi.com
Subject: Re: [PATCH] userns: Convert xfs to use kuid/kgid where appropriate
Date: Thu, 20 Jun 2013 15:12:16 -0400 [thread overview]
Message-ID: <51C35410.2040109@redhat.com> (raw)
In-Reply-To: <20130620133903.5193d3ee@oracle.com>
On 06/20/2013 01:39 PM, Dwight Engen wrote:
> On Thu, 20 Jun 2013 11:27:04 -0400
> Brian Foster <bfoster@redhat.com> wrote:
>
>> On 06/20/2013 09:54 AM, Dwight Engen wrote:
>>> On Thu, 20 Jun 2013 10:13:41 +1000
>>> Dave Chinner <david@fromorbit.com> wrote:
>>>
>>>> On Wed, Jun 19, 2013 at 11:09:48AM -0400, Dwight Engen wrote:
...
>>
>> Hi Dwight,
>>
>> If I understand correctly, the proposition is to turn
>> XFS_EOF_FREE_EOFBLOCKS into administrator only functionality and run
>> ns conversions on the inode uid/gid and associated eofb values for
>> the ID filtering functionality.
>
> Hi Brian, yeah that was the proposal :) I think there are really two
> issues here. One is that the uid_t/gid_t may come from a userns so we
> should be aware of that. Currently the ids passed in are used for
> *filtering* so a malicious user can't do anything more than they
> already can by not passing ids at all, but we should fix this so only
> the intended files are affected. Second is that currently the ioctl
> allows an unprivileged user to affect another user (as Eric pointed
> out):
>
>> I am little dubious about XFS_IOC_FREE_EOFBLOCKS allowing any
>> user to affect any other user. Your changes just seem to make
>> it guaranteed that when called from a user namespace the wrong
>> user will be affected.
>
> I don't think the nsown_capability() I proposed is enough to take care
> of this. Do you agree that if the caller is going to affect other
> users, they should be CAP_SYS_ADMIN (or maybe CAP_FOWNER) in
> init_user_ns?
>
Yeah, that's what I was getting at below by restricting "global" scans
to admin privilege.
>> The latter sounds reasonable to me, though I'm not so sure about the
>> CAP_SYS_ADMIN bit. For example, I think we'd expect a regular user to
>> be able to run an eofblocks scan against files covered under his
>> quota.
>>
>> Perhaps the right thing to do here is to restrict global (and project
>> quota?) scans to CAP_SYS_ADMIN and uid/gid based scans to processes
>> with the appropriate permissions (i.e., CAP_SYS_ADMIN, matching
>> uid/gid or CAP_FOWNER). Thoughts?
>
> That sounds good to me. Maybe for a regular user the appropriate
> permission check (at the top of xfs_inode_free_eofblocks()) could be
> something like:
>
I think the various capability/permission checks should be in the ioctl
code. xfs_icache_free_eofblocks() and below are internal interfaces
where these checks are probably not relevant. I actually have code lying
around that creates an internal structure for that code, similar but
separate from the xfs_eofblocks structure.
> if (!capable(CAP_SYS_ADMIN) &&
> !uid_eq(VFS_I(ip)->i_uid, current_fsuid()) &&
> !in_group_p(VFS_I(ip)->i_gid))
> return 0;
>
This is a little confusing (and pardon me, I'm a bit new to the
namespace work). What might be a bit more clear is to do the capability
checks against the EOFBLOCKS command flags in xfs_file_ioctl() and
return an appropriate error if permission is not granted for the
requested type of scan (i.e., a regular user doing a global or non-id
matching scan). Then restrict the changes in xfs_icache_free_eofblocks()
to just dealing with the namespace conversions.
This would still allow use cases such as the pending code I have that
invokes an eofblocks scan on write() failure due to EDQUOT/ENOSPC in the
case of project or user/group quotas. I suspect adding the namespace
conversion stuff wouldn't break the typical user/group quota case, but
we'd still require the ability to run a project quota scan from a
particular user context. I think the combined check you have above would
break that.
Brian
> This has the drawback that the caller won't know if they supplied a
> uid/gid in eofblocks that won't actually get cleared, so maybe we
> want to validate a uid/gid in eofblocks after its copy_from_user()ed
> in instead? Also, I'm not sure if this is the same as "under his quota"
> and how it plays with project quotas.
>
>> Brian
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-06-20 19:15 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 15:09 [PATCH] userns: Convert xfs to use kuid/kgid where appropriate Dwight Engen
2013-06-19 20:35 ` Eric W. Biederman
2013-06-20 1:41 ` Dave Chinner
2013-06-20 13:54 ` Dwight Engen
2013-06-20 21:10 ` Dave Chinner
2013-06-20 0:13 ` Dave Chinner
2013-06-20 13:54 ` Dwight Engen
2013-06-20 15:27 ` Brian Foster
2013-06-20 17:39 ` Dwight Engen
2013-06-20 19:12 ` Brian Foster [this message]
2013-06-20 22:12 ` Dave Chinner
2013-06-20 22:45 ` Eric W. Biederman
2013-06-20 23:35 ` Dave Chinner
2013-06-20 22:03 ` Dave Chinner
2013-06-21 15:14 ` Dwight Engen
2013-06-24 0:33 ` Dave Chinner
2013-06-24 13:10 ` [PATCH v2 RFC] " Dwight Engen
2013-06-25 16:46 ` Brian Foster
2013-06-25 20:08 ` Dwight Engen
2013-06-25 21:04 ` Brian Foster
2013-06-26 2:09 ` Dave Chinner
2013-06-26 21:30 ` Dwight Engen
2013-06-26 22:44 ` Dave Chinner
2013-06-27 13:02 ` Serge Hallyn
2013-06-28 1:54 ` Dave Chinner
2013-06-28 15:25 ` Serge Hallyn
2013-06-28 16:16 ` Dwight Engen
2013-06-27 20:57 ` Ben Myers
2013-06-28 1:46 ` Dave Chinner
2013-06-28 15:15 ` Serge Hallyn
2013-06-28 14:23 ` Dwight Engen
2013-06-28 15:11 ` [PATCH v3 0/6] " Dwight Engen
2013-06-28 15:11 ` [PATCH 1/6] create wrappers for converting kuid_t to/from uid_t Dwight Engen
2013-06-28 15:11 ` [PATCH 2/6] convert kuid_t to/from uid_t in ACLs Dwight Engen
2013-06-28 15:11 ` [PATCH 3/6] ioctl: check for capabilities in the current user namespace Dwight Engen
2013-06-28 15:11 ` [PATCH 4/6] convert kuid_t to/from uid_t for xfs internal structures Dwight Engen
2013-06-28 15:11 ` [PATCH 5/6] create internal eofblocks structure with kuid_t types Dwight Engen
2013-06-28 18:09 ` Brian Foster
2013-06-28 15:11 ` [PATCH 6/6] ioctl eofblocks: require non-privileged users to specify uid/gid match Dwight Engen
2013-06-28 18:50 ` Brian Foster
2013-06-28 20:28 ` Dwight Engen
2013-06-28 21:39 ` Brian Foster
2013-06-28 23:22 ` Dwight Engen
2013-07-01 12:21 ` Brian Foster
2013-07-06 4:44 ` [PATCH 1/1] export inode_capable Serge Hallyn
2013-07-08 13:09 ` [PATCH v2 RFC] userns: Convert xfs to use kuid/kgid where appropriate Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C35410.2040109@redhat.com \
--to=bfoster@redhat.com \
--cc=dwight.engen@oracle.com \
--cc=ebiederm@gmail.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox