From: Christoph Hellwig <hch@infradead.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: hch@infradead.org, 7eggert@gmx.de, smfrench@austin.rr.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] cifs: handle termination of cifs oplockd kernel thread
Date: Sat, 30 Apr 2005 09:29:52 +0100 [thread overview]
Message-ID: <20050430082952.GA23253@infradead.org> (raw)
In-Reply-To: <E1DRn70-0002AD-00@dorka.pomaz.szeredi.hu>
On Sat, Apr 30, 2005 at 10:14:07AM +0200, Miklos Szeredi wrote:
> > Except that we don't have the concept of a mount owner at the VFS level
> > right now, because everyone is adding stupid suid wrapper hacks instead
> > of trying to fix the problems for real.
>
> Having a mount owner is not a problem. Having a good policy for
> accepting mounts is rather more so, according to some:
>
> http://marc.theaimsgroup.com/?l=linux-kernel&m=107705608603071&w=2
>
> Just a little taste of what that policy would involve:
>
> - global limit on user mounts
I don't think we need that one.
> - possibly per user limit on mounts
Makes sense as an ulimit, that way the sysadmin can easily disable the
user mount feature aswell.
> - acceptable mountpoints (unlimited writablity is probably a good minimum)
Yupp.
> - acceptable mount options (nosuid, nodev are obviously not)
noexecis a bit too much, so the above look good.
> - filesystems "safe" to mount by users
what filesystem do you think is unsafe?
- virtual filesystems exporting kernel data are obviously safe as
they enforce permissions no matter who mounted them. (actually we'd
need to check for some odd mount options)
- block-based filesystems should be safe as long as the mounter has
access to the underlying block device
- network/userspace filesystems should be fine aswell
next prev parent reply other threads:[~2005-04-30 8:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3YLdQ-4vS-15@gated-at.bofh.it>
2005-04-29 23:18 ` [PATCH] cifs: handle termination of cifs oplockd kernel thread Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-30 7:32 ` Christoph Hellwig
2005-04-30 8:14 ` Miklos Szeredi
2005-04-30 8:29 ` Christoph Hellwig [this message]
2005-04-30 9:22 ` Miklos Szeredi
2005-04-30 10:57 ` Miklos Szeredi
2005-04-30 13:28 ` Steve French
2005-04-30 14:53 ` J. Bruce Fields
2005-04-30 14:50 ` Steve French
2005-04-30 17:23 ` Miklos Szeredi
2005-04-30 16:16 ` Miklos Szeredi
2005-04-30 15:27 ` Steve French
2005-05-01 0:10 ` Bodo Eggert
2005-05-11 8:59 ` Christoph Hellwig
2005-04-30 12:52 ` Steve French
2005-04-29 21:09 Steve French
2005-04-29 21:31 ` Christoph Hellwig
2005-04-29 22:20 ` Steve French
2005-05-11 8:56 ` Christoph Hellwig
2005-05-11 18:19 ` Steve French
2005-05-16 9:34 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050430082952.GA23253@infradead.org \
--to=hch@infradead.org \
--cc=7eggert@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=smfrench@austin.rr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox