From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
akpm@linux-foundation.org, hch@infradead.org,
viro@ZenIV.linux.org.uk, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: unprivileged mounts git tree
Date: Sat, 13 Sep 2008 20:06:46 -0700 [thread overview]
Message-ID: <m1od2r1l4p.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <20080914015646.GC18604@us.ibm.com> (Serge E. Hallyn's message of "Sat, 13 Sep 2008 20:56:46 -0500")
"Serge E. Hallyn" <serue@us.ibm.com> writes:
>> > So in order for me as an unprivileged user to pin a dentry by mounting
>> > over it, I have to have write permission to the dentry to begin with
>> > as well as the dentry being under a user=hallyn mount.
>>
>> That second condition is interesting requiring write permission of the
>> dentry. I thought we had obviated the need for that when we added
>> ownership to the mounts themselves. In this case at least it shouldn't
>> it be write permission on the directory containing the dentry.
>
> Oh no, it seems I'm wrong, that's not a condition. Just tested it.
Ok. I couldn't find Mikolos's code when I looked quickly.
What are the current rules? It sounds like my original example could apply.
>> This seems to mess up things like revoke.
>
> Hey, do we have revoke now? :)
Periodically someone works on revoke ;)
>> At a practical level it is a real annoyance, regardless of the security
>> implications.
>>
>> As a point of comparison plan9 does not have that restriction.
>
> Why doesn't it have that restriction?
I haven't heard the reason.
> Does it always allow you to rm a mounted-over file?
Yes.
The implementation of mounts in plan9 is a bit different. In
plan9 mounts are looked up by mount namespace and qid (effectively
the inode number). So the semantics are slightly different.
Requiring a new mount namespace if you want to see what a filesystem
looks like without a mount on top of a given file.
It also looks like plan9 is likely to have a unmountable and unusable mount
if you actually delete an file, from another mount namespace.
Linux actually has a very similar case where we can loose a mount if you rename
the directory that contains it to be somewhere higher in the mount hierarchy
than the location the mount was under.
All of that said there is a very good practical justification for it all.
In a filesystem where not all changes come through our local VFS the
VFS cannot prevent changes to a filesystem it can only cache and respond
to changes that do occur.
So things like sysfs_rename_dir and sysfs_move_dir routinely bypass
the VFS restriction against changes happening under mount points. It
isn't a problem in practice because people don't mount on sysfs but the
problem is very much there today.
It looks to me like the right solution is very much to do the lazy
unmount we do for expired mounts, and purge everything that happens
and then we just don't have to worry about mounts causing a denial
of service attack and life gets simpler.
Rename is a bit trickier than unlink and rmdir in that we should allow
it on the underlying filesystem and only remove the directory if the
rename goes out of scope for the overlying mount.
Eric
next prev parent reply other threads:[~2008-09-14 3:15 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-07 12:05 unprivileged mounts git tree Miklos Szeredi
2008-08-07 22:27 ` Serge E. Hallyn
2008-08-08 0:07 ` Eric W. Biederman
2008-08-08 0:25 ` Serge E. Hallyn
2008-08-25 11:01 ` Miklos Szeredi
2008-08-27 15:36 ` Serge E. Hallyn
2008-08-27 15:55 ` Miklos Szeredi
2008-08-27 18:46 ` Serge E. Hallyn
2008-09-03 18:45 ` Miklos Szeredi
2008-09-03 21:54 ` Serge E. Hallyn
2008-09-03 22:02 ` Serge E. Hallyn
2008-09-03 22:25 ` Miklos Szeredi
2008-09-03 22:43 ` Serge E. Hallyn
2008-09-04 6:42 ` Miklos Szeredi
2008-09-04 13:28 ` Serge E. Hallyn
2008-09-04 14:06 ` Miklos Szeredi
2008-09-04 15:40 ` Miklos Szeredi
2008-09-04 16:17 ` Serge E. Hallyn
2008-09-04 17:42 ` Miklos Szeredi
2008-09-04 17:48 ` Serge E. Hallyn
2008-09-04 18:03 ` Miklos Szeredi
2008-09-04 18:49 ` Serge E. Hallyn
2008-09-04 22:26 ` Miklos Szeredi
2008-09-04 23:32 ` Serge E. Hallyn
2008-09-05 15:31 ` Serge E. Hallyn
2008-09-09 13:34 ` Miklos Szeredi
2008-09-11 10:37 ` Eric W. Biederman
2008-09-11 14:43 ` Miklos Szeredi
2008-09-11 15:20 ` Serge E. Hallyn
2008-09-11 15:44 ` Miklos Szeredi
2008-09-11 18:54 ` Eric W. Biederman
2008-09-12 22:08 ` Serge E. Hallyn
2008-09-13 3:12 ` Eric W. Biederman
2008-09-14 1:56 ` Serge E. Hallyn
2008-09-14 3:06 ` Eric W. Biederman [this message]
2008-09-30 19:39 ` Serge E. Hallyn
2008-10-06 11:05 ` Miklos Szeredi
2008-09-11 19:04 ` Eric W. Biederman
2008-09-11 19:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1od2r1l4p.fsf@frodo.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serue@us.ibm.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox