From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: ebiederm@xmission.com, akpm@linux-foundation.org,
hch@infradead.org, viro@ZenIV.linux.org.uk,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: unprivileged mounts git tree
Date: Wed, 27 Aug 2008 10:36:28 -0500 [thread overview]
Message-ID: <20080827153628.GA11242@us.ibm.com> (raw)
In-Reply-To: <E1KXZpC-0008Ie-6w@pomaz-ex.szeredi.hu>
Quoting Miklos Szeredi (miklos@szeredi.hu):
> On Thu, 7 Aug 2008, Serge E. Hallyn wrote:
> > Quoting Eric W. Biederman (ebiederm@xmission.com):
> > > "Serge E. Hallyn" <serue@us.ibm.com> writes:
> > > > so on the bright side I pulled this tree today and it compiled and
> > > > passed ltp with no problems.
> > > >
> > > > But then I played around a bit and found I could do the following:
> > > >
> > > > (hmm, i'm trying to remember the exact order :)
> > > >
> > > > as root:
> > > > mmount --bind -o user=500 /home/hallyn/etc/ /home/hallyn/etc/
> > > > mount --bind /mnt /mnt
> > > > mount --make-rshared /mnt
> > > > mount --bind /dev /mnt/dev
> > > >
> > > > as hallyn:
> > > > mmount --bind /mnt /home/hallyn/etc/mnt
> > > > /usr/src/mmount-0.3/mmount --bind mnt/dev mnt/src
> > >
> > > You are using relative directory names here which makes it confusing.
> > > I'm assuming you in /home/hallyn/etc ?
> >
> > Sorry, yeah.
> >
> > > > Now /mnt/src contained /dev.
> > > >
> > > > Is this what we want?
> > >
> > > I don't think so.
> > >
> > > I think the simplest answer is to not allow mounting of shared
> > > subtrees controlled by a different user.
> > >
> > > Serge I think you are right downgrading the mount from shared to slave
> > > looks like the sane thing to do if the mount owners match.
> >
> > I assume you mean "if the mount owners don't match"?
> >
> > Miklos, what do you think?
>
> Sorry about the late reply: I was on a long summer vacation...
>
> Serge, thanks for spotting this: it looks indeed a nasty hole! I also
> agree about the solution.
Are you implementing it, or did you want me to?
> > The next question then becomes, how can we prove to ourselves that that
> > closes the last security hole with unprivileged mounts? So long as
> > we treat each mount event as a piece of information and look at it as an
> > information flow problem, maybe we can actually come up with a good
> > description of the logic that is implemented and show that there is no
> > way a user can "leak" info... (where a leak is a mount event, a
> > violation of intended DAC on open(file) or mkdir, etc)
>
> "Information flow problem" doesn't mean much to me (I'm actually an
> electric engineer, who ended up doing programming for living ;)
>
> But yeah, we should think this over very carefully. Especially
> interaction with mount propagation, which has very complicated and
> sometimes rather counter-intuitive semantics.
I know we discussed before about whether a propagated mount from a
non-user mount to a user mount should end up being owned by the user
or not. I don't recall (and am not checking the code at the moment
as your tree is sitting elsewhere) whether we mark the propagated
tree with the right nosuid and nodev flags, or whether we call it
a user mount or not.
-serge
next prev parent reply other threads:[~2008-08-27 15:36 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-07 12:05 unprivileged mounts git tree Miklos Szeredi
2008-08-07 22:27 ` Serge E. Hallyn
2008-08-08 0:07 ` Eric W. Biederman
2008-08-08 0:25 ` Serge E. Hallyn
2008-08-25 11:01 ` Miklos Szeredi
2008-08-27 15:36 ` Serge E. Hallyn [this message]
2008-08-27 15:55 ` Miklos Szeredi
2008-08-27 18:46 ` Serge E. Hallyn
2008-09-03 18:45 ` Miklos Szeredi
2008-09-03 21:54 ` Serge E. Hallyn
2008-09-03 22:02 ` Serge E. Hallyn
2008-09-03 22:25 ` Miklos Szeredi
2008-09-03 22:43 ` Serge E. Hallyn
2008-09-04 6:42 ` Miklos Szeredi
2008-09-04 13:28 ` Serge E. Hallyn
2008-09-04 14:06 ` Miklos Szeredi
2008-09-04 15:40 ` Miklos Szeredi
2008-09-04 16:17 ` Serge E. Hallyn
2008-09-04 17:42 ` Miklos Szeredi
2008-09-04 17:48 ` Serge E. Hallyn
2008-09-04 18:03 ` Miklos Szeredi
2008-09-04 18:49 ` Serge E. Hallyn
2008-09-04 22:26 ` Miklos Szeredi
2008-09-04 23:32 ` Serge E. Hallyn
2008-09-05 15:31 ` Serge E. Hallyn
2008-09-09 13:34 ` Miklos Szeredi
2008-09-11 10:37 ` Eric W. Biederman
2008-09-11 14:43 ` Miklos Szeredi
2008-09-11 15:20 ` Serge E. Hallyn
2008-09-11 15:44 ` Miklos Szeredi
2008-09-11 18:54 ` Eric W. Biederman
2008-09-12 22:08 ` Serge E. Hallyn
2008-09-13 3:12 ` Eric W. Biederman
2008-09-14 1:56 ` Serge E. Hallyn
2008-09-14 3:06 ` Eric W. Biederman
2008-09-30 19:39 ` Serge E. Hallyn
2008-10-06 11:05 ` Miklos Szeredi
2008-09-11 19:04 ` Eric W. Biederman
2008-09-11 19:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080827153628.GA11242@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).