From: Andy Lutomirski <luto@amacapital.net>
To: Seth Forshee <seth.forshee@canonical.com>,
Miklos Szeredi <miklos@szeredi.hu>
Cc: fuse-devel@lists.sourceforge.net,
"Serge H. Hallyn" <serge.hallyn@ubuntu.com>,
LKML <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user
Date: Wed, 15 Oct 2014 07:58:59 -0700 [thread overview]
Message-ID: <543E8BB3.6040701@amacapital.net> (raw)
In-Reply-To: <1413296756-25071-4-git-send-email-seth.forshee@canonical.com>
On 10/14/2014 07:25 AM, Seth Forshee wrote:
> Unprivileged users are normally restricted from mounting with the
> allow_other option by system policy, but this could be bypassed
> for a mount done with user namespace root permissions. In such
> cases allow_other should not allow users outside the user
> namespace to access the mount as doing so would give the
> unprivileged user the ability to manipulate processes it would
> otherwise be unable to manipulate.
What threat is this intended to protect against? I think that, if this
is needed, tasks outside the userns or its descendents should be
blocked, even if the user ids match. That is, I think you should check
the namespace, not the uid and gid.
--Andy
>
> Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> Cc: Serge H. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
> Signed-off-by: Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> ---
> fs/fuse/dir.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
> index 123db1e06c78..e3123bfbc711 100644
> --- a/fs/fuse/dir.c
> +++ b/fs/fuse/dir.c
> @@ -1089,12 +1089,20 @@ int fuse_reverse_inval_entry(struct super_block *sb, u64 parent_nodeid,
> */
> int fuse_allow_current_process(struct fuse_conn *fc)
> {
> - const struct cred *cred;
> + const struct cred *cred = current_cred();
>
> - if (fc->flags & FUSE_ALLOW_OTHER)
> - return 1;
> + if (fc->flags & FUSE_ALLOW_OTHER) {
> + if (kuid_has_mapping(fc->user_ns, cred->euid) &&
> + kuid_has_mapping(fc->user_ns, cred->suid) &&
> + kuid_has_mapping(fc->user_ns, cred->uid) &&
> + kgid_has_mapping(fc->user_ns, cred->egid) &&
> + kgid_has_mapping(fc->user_ns, cred->sgid) &&
> + kgid_has_mapping(fc->user_ns, cred->gid))
> + return 1;
> +
> + return 0;
> + }
>
> - cred = current_cred();
> if (uid_eq(cred->euid, fc->user_id) &&
> uid_eq(cred->suid, fc->user_id) &&
> uid_eq(cred->uid, fc->user_id) &&
>
next prev parent reply other threads:[~2014-10-15 14:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 14:25 [PATCH v4 0/5] fuse: Add support for mounts from pid/user namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 1/5] fuse: Add support for pid namespaces Seth Forshee
2014-10-14 14:25 ` [PATCH v4 2/5] fuse: Support fuse filesystems outside of init_user_ns Seth Forshee
2014-10-15 14:49 ` Andy Lutomirski
2014-10-15 15:05 ` Seth Forshee
2014-10-15 17:05 ` Andy Lutomirski
2014-10-15 22:59 ` Seth Forshee
2014-10-15 23:07 ` Andy Lutomirski
2014-10-15 23:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 3/5] fuse: Restrict allow_other to uids already controlled by the user Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski [this message]
2014-10-15 15:11 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 4/5] fuse: Support privileged xattrs only with a mount option Seth Forshee
2014-10-14 18:12 ` [fuse-devel] " Michael j Theall
2014-10-14 20:01 ` Eric W. Biederman
2014-10-14 20:59 ` Seth Forshee
2014-10-14 21:13 ` Eric W. Biederman
2014-10-14 21:19 ` Andy Lutomirski
2014-10-14 21:29 ` Eric W. Biederman
2014-10-15 7:39 ` Seth Forshee
2014-10-15 14:37 ` Andy Lutomirski
2014-10-21 21:21 ` Seth Forshee
2014-10-21 21:27 ` Andy Lutomirski
2014-10-21 21:34 ` Michael j Theall
2014-10-21 21:44 ` Andy Lutomirski
2014-10-22 4:58 ` Seth Forshee
2014-10-23 18:32 ` Andy Lutomirski
2014-10-23 21:24 ` Seth Forshee
2014-10-14 14:25 ` [PATCH v4 5/5] fuse: Allow user namespace mounts Seth Forshee
2014-10-15 14:58 ` Andy Lutomirski
2014-10-15 15:20 ` Seth Forshee
2014-10-15 23:08 ` Andy Lutomirski
2014-10-15 23:07 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=543E8BB3.6040701@amacapital.net \
--to=luto@amacapital.net \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serge.hallyn@ubuntu.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).