linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Bruce Fields <bfields@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	virtio-fs@redhat.com, Daniel Walsh <dwalsh@redhat.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Casey Schaufler <casey.schaufler@intel.com>,
	LSM <linux-security-module@vger.kernel.org>,
	selinux@vger.kernel.org, "Theodore Ts'o" <tytso@mit.edu>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Giuseppe Scrivano <gscrivan@redhat.com>,
	stephen.smalley.work@gmail.com,
	Andreas Gruenbacher <agruenba@redhat.com>,
	Dave Chinner <david@fromorbit.com>
Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Date: Tue, 14 Sep 2021 11:01:00 -0400	[thread overview]
Message-ID: <CAPL3RVGXWtakCS9bvE60gWp0tcsduJFKfoU4aoqANRgp7HvFow@mail.gmail.com> (raw)
In-Reply-To: <YUCybaYK/0RLvY9J@redhat.com>

On Tue, Sep 14, 2021 at 10:32 AM Vivek Goyal <vgoyal@redhat.com> wrote:
> open_by_handle_at() requires CAP_DAC_READ_SEARCH.

Or some sort of access to the network.  If you can send rpc requests
to the nfs server that appear to be from someone with access to the
export, you can guess filehandles that allow access to objects under
that directory.  You'll need access to particular objects, but you
won't need read or lookup access to the directory.

You can prevent that if you set things up right, but these
filehandle-issues are poorly understood, and people often forget to
take them into account.

--b.

> And if you have
> CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You
> should be able to read/search through all directories, IIUC.
>
> So how does one make sure that shared directory on host is not
> accessible to unprivileged entities. If making directory accessible
> to root only is weaker security, what are the options for stronger
> security.


  reply	other threads:[~2021-09-14 15:01 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 15:22 [PATCH v3 0/1] Relax restrictions on user.* xattr Vivek Goyal
2021-09-02 15:22 ` [PATCH v3 1/1] xattr: Allow user.* xattr on symlink and special files Vivek Goyal
2021-09-02 15:38 ` [PATCH 2/1] man-pages: xattr.7: Update text for user extended xattr behavior change Vivek Goyal
2021-09-02 15:43 ` [PATCH v3 0/1] Relax restrictions on user.* xattr Casey Schaufler
2021-09-02 17:05   ` Vivek Goyal
2021-09-02 17:42     ` Vivek Goyal
2021-09-02 18:55       ` Casey Schaufler
2021-09-02 20:06         ` Vivek Goyal
2021-09-02 22:34           ` Casey Schaufler
2021-09-03 15:26             ` Vivek Goyal
2021-09-03 18:49               ` Casey Schaufler
2021-09-06  7:45             ` [Virtio-fs] " Sergio Lopez
2021-09-06 14:55             ` Dr. David Alan Gilbert
2021-09-13 19:05               ` Casey Schaufler
2021-09-14 12:51                 ` Vivek Goyal
2021-09-14 13:56                   ` Casey Schaufler
2021-09-14 13:59                   ` Bruce Fields
2021-09-14 14:32                     ` Vivek Goyal
2021-09-14 15:01                       ` Bruce Fields [this message]
2021-09-15 16:33                       ` Dr. Greg
2021-09-02 15:47 ` [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels Vivek Goyal
2021-09-03  4:55   ` Dave Chinner
2021-09-03  6:31   ` Andreas Gruenbacher
2021-09-03  6:56     ` Andreas Gruenbacher
2021-09-03 14:42       ` Bruce Fields
2021-09-03 15:43         ` Vivek Goyal
2021-09-03 15:50           ` Bruce Fields
2021-09-03 16:01             ` Casey Schaufler
2021-09-03 16:03             ` Vivek Goyal
2021-09-03  6:31   ` Zorro Lang
2021-09-02 15:50 ` [PATCH 4/1] xfstest: Add a new test to test xattr operations Vivek Goyal
2021-09-02 17:52 ` [PATCH v3 0/1] Relax restrictions on user.* xattr Andreas Gruenbacher
2021-09-02 18:48   ` Vivek Goyal
2021-09-02 19:19     ` Casey Schaufler
2021-09-06 14:39   ` Dr. David Alan Gilbert
2021-09-06 14:56     ` Miklos Szeredi
2021-09-07 21:40       ` Vivek Goyal
2021-09-08  7:37         ` Miklos Szeredi
2021-09-08 14:20           ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPL3RVGXWtakCS9bvE60gWp0tcsduJFKfoU4aoqANRgp7HvFow@mail.gmail.com \
    --to=bfields@redhat.com \
    --cc=agruenba@redhat.com \
    --cc=casey.schaufler@intel.com \
    --cc=casey@schaufler-ca.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=david@fromorbit.com \
    --cc=dgilbert@redhat.com \
    --cc=dwalsh@redhat.com \
    --cc=gscrivan@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    --cc=tytso@mit.edu \
    --cc=vgoyal@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=virtio-fs@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).