Re: [patch] unprivileged mounts update

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: serge@hallyn.com, hpa@zytor.com, linuxram@us.ibm.com,
	linux-kernel@vger.kernel.org, containers@lists.osdl.org,
	linux-security-module@vger.kernel.org, ebiederm@xmission.com,
	viro@ftp.linux.org.uk, linux-fsdevel@vger.kernel.org,
	akpm@linux-foundation.org
Subject: Re: [patch] unprivileged mounts update
Date: Thu, 26 Apr 2007 11:19:29 -0500	[thread overview]
Message-ID: <20070426161929.GA6439@sergelap.austin.ibm.com> (raw)
In-Reply-To: <E1Hh5oQ-0000w1-00@dorka.pomaz.szeredi.hu>

Quoting Miklos Szeredi (miklos@szeredi.hu):
> > Quoting Miklos Szeredi (miklos@szeredi.hu):
> > > > Right, I figure if the normal action is to always do
> > > > mnt->user = current->fsuid, then for the special case we
> > > > pass a uid in someplace.  Of course...  do we not have a
> > > > place to do that?  Would it be a no-no to use 'data' for
> > > > a non-fs-specific arg?
> > > 
> > > I guess it would be OK for bind, but not for new- and remounts, where
> > > 'data' is already used.
> > > 
> > > Maybe it's best to stay with fsuid after all, and live with having to
> > > restore capabilities.  It's not so bad after all, this seems to do the
> > > trick:
> > > 
> > > 	cap_t cap = cap_get_proc();
> > > 	setfsuid(uid);
> > > 	cap_set_proc(cap);
> > > 
> > > Unfortunately these functions are not in libc, but in a separate
> > > "libcap" library.  Ugh.
> > 
> > Ok, are you still planning to nix the MS_SETUSER flag, though, as
> > Eric suggested?  I think it's cleanest - always set the mnt->user
> > field to current->fsuid, and require CAP_SYS_ADMIN if the
> > mountpoint->mnt->user != current->fsuid.
> 
> It would be a nice cleanup, but I think it's unworkable for the
> following reasons:
> 
> Up till now mount(2) and umount(2) always required CAP_SYS_ADMIN, and
> we must make sure, that unless there's some explicit action by the
> sysadmin, these rules are still enfoced.
> 
> For example, with just a check for mnt->mnt_uid == current->fsuid, a
> fsuid=0 process could umount or submount all the "legacy" mounts even
> without CAP_SYS_ADMIN.
>
> This is a fundamental security problem, with getting rid of MS_SETUSER
> and MNT_USER.
> 
> Another, rather unlikely situation is if an existing program sets
> fsuid to non-zero before calling mount, hence unwantingly making that
> mount owned by some user after these patches.
> 
> Also adding "user=0" to the options in /proc/mounts would be an
> inteface breakage, that is probably harmless, but people wouldn't like
> it.  Special casing the zero uid for this case is more ugly IMO, than
> the problem we are trying to solve.
> 
> If we didn't have existing systems to deal with, then of course I'd
> agree with Eric's suggestion.
> 
> Miklos

So then as far as you're concerned, the patches which were in -mm will
remain unchanged?

-serge

next prev parent reply	other threads:[~2007-04-26 16:20 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-25  7:45 Miklos Szeredi
2007-04-25 15:18 ` Miklos Szeredi
2007-04-25 16:55   ` H. Peter Anvin
2007-04-25 17:20     ` Serge E. Hallyn
2007-04-25 17:46       ` Eric W. Biederman
2007-04-25 17:56         ` Serge E. Hallyn
2007-04-25 18:41           ` Eric W. Biederman
2007-04-25 18:52             ` Serge E. Hallyn
2007-04-25 19:33               ` Miklos Szeredi
2007-04-26 14:57                 ` Serge E. Hallyn
2007-04-26 15:23                   ` Miklos Szeredi
2007-04-26 16:19                     ` Serge E. Hallyn [this message]
2007-04-26 16:29                       ` Miklos Szeredi
2007-04-26 19:42                         ` Serge E. Hallyn
2007-04-26 19:56                           ` Miklos Szeredi
2007-04-27  2:10                             ` Serge E. Hallyn
2007-04-25 17:21   ` Eric W. Biederman
2007-04-25 17:30     ` Serge E. Hallyn
2007-04-26 19:10     ` Jan Engelhardt
2007-04-26 20:27       ` Miklos Szeredi
2007-04-27  4:10         ` Eric W. Biederman
2007-04-27  7:01         ` Jan Engelhardt
2007-04-25 19:33   ` Andrew Morton
2007-04-25 19:45     ` Miklos Szeredi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070426161929.GA6439@sergelap.austin.ibm.com \
    --to=serue@us.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=containers@lists.osdl.org \
    --cc=ebiederm@xmission.com \
    --cc=hpa@zytor.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linuxram@us.ibm.com \
    --cc=miklos@szeredi.hu \
    --cc=serge@hallyn.com \
    --cc=viro@ftp.linux.org.uk \
    --subject='Re: [patch] unprivileged mounts update' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).