From: Miklos Szeredi <miklos@szeredi.hu>
To: Christian Brauner <brauner@kernel.org>
Cc: Dave Marchevsky <davemarchevsky@fb.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-fsdevel@vger.kernel.org,
Seth Forshee <sforshee@digitalocean.com>,
Rik van Riel <riel@surriel.com>, kernel-team <kernel-team@fb.com>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount
Date: Wed, 18 May 2022 13:26:05 +0200 [thread overview]
Message-ID: <CAJfpegtNKbOzu0F=-k_ovxrAOYsOBk91e3v6GPgpfYYjsAM5xw@mail.gmail.com> (raw)
In-Reply-To: <20220518112229.s5nalbyd523nxxru@wittgenstein>
On Wed, 18 May 2022 at 13:22, Christian Brauner <brauner@kernel.org> wrote:
>
> On Tue, May 17, 2022 at 12:50:32PM -0400, Dave Marchevsky wrote:
> > Sorry to ressurect this old thread. My proposed alternate approach of "special
> > ioctl to grant exception to descendant userns check" proved unnecessarily
> > complex: ioctls also go through fuse_allow_current_process check, so a special
> > carve-out would be necessary for in both ioctl and fuse_permission check in
> > order to make it possible for non-descendant-userns user to opt in to exception.
> >
> > How about a version of this patch with CAP_DAC_READ_SEARCH check? This way
> > there's more of a clear opt-in vs CAP_SYS_ADMIN.
>
> I still think this isn't needed given that especially for the use-cases
> listed here you have a workable userspace solution to this problem.
>
> If the CAP_SYS_ADMIN/CAP_DAC_READ_SEARCH check were really just about
> giving a privileged task access then it'd be fine imho. But given that
> this means the privileged task is open to a DoS attack it seems we're
> building a trap into the fuse code.
>
> The setns() model has the advantage that this forces the task to assume
> the correct privileges and also serves as an explicit opt-in. Just my 2
> cents here.
Fully agreed. Using CAP_DAC_READ_SEARCH instead of CAP_SYS_ADMIN
doesn't make this any better, since root has all caps including
CAP_DAC_READ_SEARCH.
Thanks,
Miklos
next prev parent reply other threads:[~2022-05-18 11:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-11 22:11 [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount Dave Marchevsky
2021-11-12 2:10 ` Rik van Riel
2021-11-12 10:13 ` Christian Brauner
2021-11-12 23:29 ` Dave Marchevsky
2021-11-15 15:28 ` Miklos Szeredi
2022-05-17 16:50 ` Dave Marchevsky
2022-05-18 11:22 ` Christian Brauner
2022-05-18 11:26 ` Miklos Szeredi [this message]
2022-05-19 4:56 ` Andrii Nakryiko
2022-05-19 8:59 ` Christian Brauner
2022-05-24 4:35 ` Andrii Nakryiko
2022-05-24 7:07 ` Miklos Szeredi
2022-05-24 14:59 ` Rik van Riel
2022-05-24 15:44 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfpegtNKbOzu0F=-k_ovxrAOYsOBk91e3v6GPgpfYYjsAM5xw@mail.gmail.com' \
--to=miklos@szeredi.hu \
--cc=andrii@kernel.org \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=riel@surriel.com \
--cc=sforshee@digitalocean.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).