Home » Mailing lists » Devel » [patch 0/8] mount ownership and unprivileged mount syscall (v4)
Re: [patch 2/8] allow unprivileged umount [message #18427 is a reply to message #18426] |
Sat, 21 April 2007 12:53 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) ![Go to next message Go to previous message](/theme/ovz3/images/down.png) |
ebiederm
Messages: 1354 Registered: February 2006
|
Senior Member |
|
|
Andrew Morton <akpm@linux-foundation.org> writes:
> On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi <miklos@szeredi.hu> wrote:
>
>> > > +static bool permit_umount(struct vfsmount *mnt, int flags)
>> > > +{
>> > >
>> > > ...
>> > >
>> > > + return mnt->mnt_uid == current->uid;
>> > > +}
>> >
>> > Yes, this seems very wrong. I'd have thought that comparing user_struct*'s
>> > would get us a heck of a lot closer to being able to support aliasing of
>> > UIDs between different namespaces.
>> >
>>
>> OK, I'll fix this up.
>>
>> Actually an earlier version of this patch did use user_struct's but
>> I'd changed it to uids, because it's simpler.
>
> OK..
>
>> I didn't think about
>> this being contrary to the id namespaces thing.
>
> Well I was madly assuming that when serarate UID namespaces are in use, UID
> 42 in container A will have a different user_struct from UID 42 in
> container B. I'd suggest that we provoke an opinion from Eric & co before
> you do work on this.
That is what I what I have been thinking as well, storing a user
struct on each mount point seems sane, plus it allows per user mount
rlimits which is major plus. Especially since we seem to be doing
accounting only for user mounts a per user rlimit seems good.
To get the user we should be user fs_uid as HPA suggested.
Finally I'm pretty certain the capability we should care about in
this context is CAP_SETUID. Instead of CAP_SYS_ADMIN.
If we have CAP_SETUID we can become which ever user owns the mount,
and the root user in a container needs this, so he can run login
programs. So changing the appropriate super user checks from
CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.
With the CAP_SETUID thing handled I'm not currently seeing any adverse
implications to using this in containers.
Ok. Now that I have a reasonable approximation of the 10,000 foot
view now to see how the patches match up.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
|
|
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 0/8] mount ownership and unprivileged mount syscall (v4)
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 1/8] add user mounts to the kernel
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
By: akpm on Sat, 21 April 2007 07:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
By: ebiederm on Sat, 21 April 2007 13:14
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
By: ebiederm on Sun, 22 April 2007 07:43
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 1/8] add user mounts to the kernel
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 2/8] allow unprivileged umount
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: akpm on Sat, 21 April 2007 07:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: hpa on Sat, 21 April 2007 08:01
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: akpm on Sat, 21 April 2007 08:36
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: ebiederm on Sat, 21 April 2007 12:53
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: ebiederm on Sat, 21 April 2007 13:29
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
By: ebiederm on Sun, 22 April 2007 07:09
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 2/8] allow unprivileged umount
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 3/8] account user mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 3/8] account user mounts
By: akpm on Sat, 21 April 2007 07:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 3/8] account user mounts
By: ebiederm on Sat, 21 April 2007 13:37
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 3/8] account user mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 3/8] account user mounts
By: ebiederm on Sun, 22 April 2007 07:49
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 3/8] account user mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 4/8] propagate error values from clone_mnt
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 4/8] propagate error values from clone_mnt
By: ebiederm on Sat, 21 April 2007 13:40
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 5/8] allow unprivileged bind mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 5/8] allow unprivileged bind mounts
By: ebiederm on Sat, 21 April 2007 14:00
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 5/8] allow unprivileged bind mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 6/8] put declaration of put_filesystem() in fs.h
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
By: akpm on Sat, 21 April 2007 07:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
By: ebiederm on Sat, 21 April 2007 14:10
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
By: ebiederm on Sat, 21 April 2007 16:57
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
By: ebiederm on Sat, 21 April 2007 21:00
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 7/8] allow unprivileged mounts
By: ebiederm on Sat, 21 April 2007 21:33
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[patch 8/8] allow unprivileged fuse mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 8/8] allow unprivileged fuse mounts
By: akpm on Sat, 21 April 2007 07:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 8/8] allow unprivileged fuse mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 8/8] allow unprivileged fuse mounts
By: ebiederm on Sat, 21 April 2007 14:18
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 8/8] allow unprivileged fuse mounts
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 0/8] mount ownership and unprivileged mount syscall (v4)
By: ebiederm on Wed, 25 April 2007 01:04
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 0/8] mount ownership and unprivileged mount syscall (v4)
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 0/8] mount ownership and unprivileged mount syscall (v4)
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [patch 0/8] mount ownership and unprivileged mount syscall (v4)
|
Goto Forum:
Current Time: Tue Jul 16 11:19:59 GMT 2024
Total time taken to generate the page: 0.02836 seconds
|