From mboxrd@z Thu Jan 1 00:00:00 1970 From: Seth Forshee Subject: Re: [PATCH RESEND v2 16/18] fuse: Support fuse filesystems outside of init_user_ns Date: Wed, 9 Mar 2016 11:07:26 -0600 Message-ID: <20160309170726.GB28779@ubuntu-hedt> References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> <1451930639-94331-17-git-send-email-seth.forshee@canonical.com> <20160309112923.GF8655@tucsk> <20160309141840.GC23399@ubuntu-xps13> <20160309152505.GA28779@ubuntu-hedt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: fuse-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Miklos Szeredi Cc: linux-bcache-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Serge Hallyn , dm-devel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, LSM , Kernel Mailing List , linux-raid-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, fuse-devel , Austin S Hemmelgarn , linux-mtd-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org, "Eric W. Biederman" , selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, Linux-Fsdevel , Alexander Viro List-Id: linux-raid.ids On Wed, Mar 09, 2016 at 04:51:42PM +0100, Miklos Szeredi wrote: > On Wed, Mar 9, 2016 at 4:25 PM, Seth Forshee wrote: > > On Wed, Mar 09, 2016 at 03:48:22PM +0100, Miklos Szeredi wrote: > > >> Can't we use current_cred()->uid/gid? Or fsuid/fsgid maybe? > > > > That would be a departure from the current behavior in the !allow_other > > case for unprivileged users. Since those mounts are done by an suid > > helper all of those ids would be root in the userns, wouldn't they? > > Well, actually this is what the helper does: > > sprintf(d, "fd=%i,rootmode=%o,user_id=%u,group_id=%u", > fd, rootmode, getuid(), getgid()); Sorry, I was thinking of euid. So this may not be a problem. > So it just uses the current uid/gid. Apparently no reason to do this > in userland, we could just as well set these in the kernel. Except > for possible backward compatibility problems for things not using the > helper. > > BUT if the mount is unprivileged or it's a userns mount, or anything > previously not possible, then we are not constrained by the backward > compatibility issues, and can go with the saner solution. > > Does that not make sense? But we generally do want backwards compatibility, and we want userspace software to be able to expect the same behavior whether or not it's running in a user namespaced container. Obviously we can't always have things 100% identical, but we shouldn't break things unless we really need to. However it may be that this isn't actually going to break assumptions of existing software like I had feared. My preference is still to not change any userspace-visible behaviors since we never know what software might have made assumptions based on those behaviors. But if you're confident that it won't break anything I'm willing to give it a try. > >> When we have true unprivileged mounts, the user_id/group_id options > >> become redundant anyway and we can just use the current credentials. > > > > True, but we don't yet have that. > > What's missing? A user must still be privileged to mount, even if only towards their own user and mount namespaces. Maybe that's what you meant though and I just misunderstood. Thanks, Seth ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 -- fuse-devel mailing list To unsubscribe or subscribe, visit https://lists.sourceforge.net/lists/listinfo/fuse-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933497AbcCIRHy (ORCPT ); Wed, 9 Mar 2016 12:07:54 -0500 Received: from mail-oi0-f46.google.com ([209.85.218.46]:34837 "EHLO mail-oi0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933435AbcCIRHk (ORCPT ); Wed, 9 Mar 2016 12:07:40 -0500 Date: Wed, 9 Mar 2016 11:07:26 -0600 From: Seth Forshee To: Miklos Szeredi Cc: "Eric W. Biederman" , Alexander Viro , Serge Hallyn , Richard Weinberger , Austin S Hemmelgarn , Kernel Mailing List , linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, Linux-Fsdevel , fuse-devel , LSM , selinux@tycho.nsa.gov Subject: Re: [PATCH RESEND v2 16/18] fuse: Support fuse filesystems outside of init_user_ns Message-ID: <20160309170726.GB28779@ubuntu-hedt> References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> <1451930639-94331-17-git-send-email-seth.forshee@canonical.com> <20160309112923.GF8655@tucsk> <20160309141840.GC23399@ubuntu-xps13> <20160309152505.GA28779@ubuntu-hedt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 09, 2016 at 04:51:42PM +0100, Miklos Szeredi wrote: > On Wed, Mar 9, 2016 at 4:25 PM, Seth Forshee wrote: > > On Wed, Mar 09, 2016 at 03:48:22PM +0100, Miklos Szeredi wrote: > > >> Can't we use current_cred()->uid/gid? Or fsuid/fsgid maybe? > > > > That would be a departure from the current behavior in the !allow_other > > case for unprivileged users. Since those mounts are done by an suid > > helper all of those ids would be root in the userns, wouldn't they? > > Well, actually this is what the helper does: > > sprintf(d, "fd=%i,rootmode=%o,user_id=%u,group_id=%u", > fd, rootmode, getuid(), getgid()); Sorry, I was thinking of euid. So this may not be a problem. > So it just uses the current uid/gid. Apparently no reason to do this > in userland, we could just as well set these in the kernel. Except > for possible backward compatibility problems for things not using the > helper. > > BUT if the mount is unprivileged or it's a userns mount, or anything > previously not possible, then we are not constrained by the backward > compatibility issues, and can go with the saner solution. > > Does that not make sense? But we generally do want backwards compatibility, and we want userspace software to be able to expect the same behavior whether or not it's running in a user namespaced container. Obviously we can't always have things 100% identical, but we shouldn't break things unless we really need to. However it may be that this isn't actually going to break assumptions of existing software like I had feared. My preference is still to not change any userspace-visible behaviors since we never know what software might have made assumptions based on those behaviors. But if you're confident that it won't break anything I'm willing to give it a try. > >> When we have true unprivileged mounts, the user_id/group_id options > >> become redundant anyway and we can just use the current credentials. > > > > True, but we don't yet have that. > > What's missing? A user must still be privileged to mount, even if only towards their own user and mount namespaces. Maybe that's what you meant though and I just misunderstood. Thanks, Seth