From: David Howells <dhowells@redhat.com>
To: Serge Hallyn <serge@hallyn.com>
Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org,
ebiederm@xmission.com, akpm@linux-foundation.org,
oleg@redhat.com, richard@nod.at, mikevs@xs4all.net,
segoon@openwall.com, gregkh@suse.de, eparis@redhat.com,
"Serge E. Hallyn" <serge.hallyn@canonical.com>,
Randy Dunlap <rdunlap@xenotime.net>
Subject: Re: [PATCH 6/9] Add Documentation/namespaces/user_namespace.txt (v3)
Date: Wed, 19 Oct 2011 10:36:31 +0100 [thread overview]
Message-ID: <15182.1319016991@redhat.com> (raw)
In-Reply-To: <1318974898-21431-7-git-send-email-serge@hallyn.com>
Serge Hallyn <serge@hallyn.com> wrote:
> To this new task, any resource belonging to the initial user namespace will
> appear to belong to user and group 'nobody', which are UID and GID -1.
> Permission to open such files will be granted according to world access
> permissions. UID comparisons and group membership checks will return false,
> and privilege will be denied.
The last comma there is unnecessary, I think. You might also want to say
'will fail' rather than 'will return false', but I'm not sure that sums it up
correctly.
> When a task belonging to (for example) userid 500 in the initial user namespace
Why switch to talking about 'userid'? This should probably be 'UID'.
> Userid mapping for the VFS is not yet implemented, though prototypes exist.
Ditto.
> ... Therefore, attempts to exercise privilege to resources in, for instance,
> a particular network namespace, can be properly validated by checking whether
> the caller has the needed privilege (i.e. CAP_NET_ADMIN) targeted to the
> user namespace which owns the network namespace.
That sentence looks rather clumsy. I think you need to split the statement
from the example.
Other namespaces, such as UTS and network, are owned by a user namespace.
When such a namespace is created, it is assigned to [owned by? associated
with?] the user namespace of the task by which it was created. Attempts to
exercise privilege in the new namespace are properly validated by checking
whether the caller has the needed privilege targeted to [granted by?] the
user namespace that owns the new namespace. For instance, to use the
resources in a network namespace, a check must be made that the caller has
[has been granted?] the CAP_NET_ADMIN privilege. This is done using the
ns_capable() function.
You may want to list here what CAPs correspond to what namespaces.
> As an example, if a new task is cloned with a private user namespace but
> no
'not a' instead of 'no'?
> private network namespace, then the task's network namespace is owned
> by the parent user namespace. The new task has no
Insert 'special' here?
> privilege to
s/to/over/ perhaps?
> the
> parent user namespace, so it will not be able to create or configure
'the'
> network devices
Insert 'therein'?
> . If,
I don't think you need the comma here. The 'instead' is the if condition.
> instead, the task were cloned with both private
> user and network namespaces, then the private network namespace is owned
> by the private user namespace, and so root in the new user namespace
> will have privilege targeted to
Interestingly, in these two paragraphs, you've used 'targeted to' in both
directions.
whether the caller has the needed privilege (...) targeted to the user
namespace
vs
the new user namespace will have privilege targeted to the network
namespace
You might want to consider changing one of them. I would suggest 'granted by'
for the first and 'targeted at [users of]' for the second.
> the network namespace. It will be able
> to create and configure network devices.
David
next prev parent reply other threads:[~2011-10-19 9:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-18 21:54 user namespaces: fix some uid/privilege leaks Serge Hallyn
2011-10-18 21:54 ` [PATCH 1/9] pid_ns: ensure pid is not freed during kill_pid_info_as_uid Serge Hallyn
2011-10-18 21:54 ` [PATCH 2/9] user namespace: usb: make usb urbs user namespace aware (v2) Serge Hallyn
2011-10-18 21:54 ` [PATCH 3/9] user namespace: make signal.c respect user namespaces (v4) Serge Hallyn
2011-10-18 21:54 ` [PATCH 4/9] User namespace: don't allow sysctl in non-init user ns (v2) Serge Hallyn
2011-10-18 21:54 ` [PATCH 5/9] user namespace: clamp down users of cap_raised Serge Hallyn
2011-10-19 4:33 ` Andrew G. Morgan
2011-10-20 13:01 ` Serge E. Hallyn
2011-10-19 9:01 ` David Howells
2011-10-20 13:16 ` Serge E. Hallyn
2011-10-24 14:43 ` [PATCH 05/10] " Serge E. Hallyn
2011-10-24 15:47 ` Andrew G. Morgan
2011-10-24 17:28 ` Serge E. Hallyn
2011-10-25 0:43 ` Andrew G. Morgan
2011-10-25 3:03 ` Serge E. Hallyn
2011-10-25 17:33 ` Eric Paris
2011-10-25 20:09 ` Serge E. Hallyn
2011-10-18 21:54 ` [PATCH 6/9] Add Documentation/namespaces/user_namespace.txt (v3) Serge Hallyn
2011-10-18 21:54 ` [PATCH 7/9] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-10-18 21:54 ` [PATCH 8/9] protect cap_netlink_recv from user namespaces Serge Hallyn
2011-10-18 21:54 ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware Serge Hallyn
2011-10-18 22:14 ` Joe Perches
2011-10-18 23:22 ` Serge E. Hallyn
2011-10-19 2:25 ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware (v2) Serge E. Hallyn
2011-10-19 13:52 ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware Eric W. Biederman
2011-10-20 12:58 ` Serge E. Hallyn
2011-10-20 13:35 ` Eric W. Biederman
2011-10-20 14:14 ` Serge E. Hallyn
2011-10-24 4:15 ` Serge E. Hallyn
2011-10-24 4:27 ` Eric W. Biederman
2011-10-20 14:24 ` Serge E. Hallyn
2011-10-19 9:36 ` David Howells [this message]
2011-10-20 12:58 ` [PATCH 6/9] Add Documentation/namespaces/user_namespace.txt (v3) Serge E. Hallyn
2011-10-26 20:33 ` [PATCH 06/10] Add Documentation/namespaces/user_namespace.txt (v4) Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15182.1319016991@redhat.com \
--to=dhowells@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mikevs@xs4all.net \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=richard@nod.at \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).