From: Miklos Szeredi <miklos@szeredi.hu>
To: Christian Brauner <brauner@kernel.org>
Cc: Dave Marchevsky <davemarchevsky@fb.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-fsdevel@vger.kernel.org,
Seth Forshee <sforshee@digitalocean.com>,
Rik van Riel <riel@surriel.com>, kernel-team <kernel-team@fb.com>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount
Date: Wed, 18 May 2022 13:26:05 +0200 [thread overview]
Message-ID: <CAJfpegtNKbOzu0F=-k_ovxrAOYsOBk91e3v6GPgpfYYjsAM5xw@mail.gmail.com> (raw)
In-Reply-To: <20220518112229.s5nalbyd523nxxru@wittgenstein>
On Wed, 18 May 2022 at 13:22, Christian Brauner <brauner@kernel.org> wrote:
>
> On Tue, May 17, 2022 at 12:50:32PM -0400, Dave Marchevsky wrote:
> > Sorry to ressurect this old thread. My proposed alternate approach of "special
> > ioctl to grant exception to descendant userns check" proved unnecessarily
> > complex: ioctls also go through fuse_allow_current_process check, so a special
> > carve-out would be necessary for in both ioctl and fuse_permission check in
> > order to make it possible for non-descendant-userns user to opt in to exception.
> >
> > How about a version of this patch with CAP_DAC_READ_SEARCH check? This way
> > there's more of a clear opt-in vs CAP_SYS_ADMIN.
>
> I still think this isn't needed given that especially for the use-cases
> listed here you have a workable userspace solution to this problem.
>
> If the CAP_SYS_ADMIN/CAP_DAC_READ_SEARCH check were really just about
> giving a privileged task access then it'd be fine imho. But given that
> this means the privileged task is open to a DoS attack it seems we're
> building a trap into the fuse code.
>
> The setns() model has the advantage that this forces the task to assume
> the correct privileges and also serves as an explicit opt-in. Just my 2
> cents here.
Fully agreed. Using CAP_DAC_READ_SEARCH instead of CAP_SYS_ADMIN
doesn't make this any better, since root has all caps including
CAP_DAC_READ_SEARCH.
Thanks,
Miklos
next prev parent reply other threads:[~2022-05-18 11:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-11 22:11 [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount Dave Marchevsky
2021-11-12 2:10 ` Rik van Riel
2021-11-12 10:13 ` Christian Brauner
2021-11-12 23:29 ` Dave Marchevsky
2021-11-15 15:28 ` Miklos Szeredi
2022-05-17 16:50 ` Dave Marchevsky
2022-05-18 11:22 ` Christian Brauner
2022-05-18 11:26 ` Miklos Szeredi [this message]
2022-05-19 4:56 ` Andrii Nakryiko
2022-05-19 8:59 ` Christian Brauner
2022-05-24 4:35 ` Andrii Nakryiko
2022-05-24 7:07 ` Miklos Szeredi
2022-05-24 14:59 ` Rik van Riel
2022-05-24 15:44 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfpegtNKbOzu0F=-k_ovxrAOYsOBk91e3v6GPgpfYYjsAM5xw@mail.gmail.com' \
--to=miklos@szeredi.hu \
--cc=andrii@kernel.org \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=riel@surriel.com \
--cc=sforshee@digitalocean.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.