OpenVZ Forum: Devel » Re: [patch 0/8] unprivileged mount syscall

Home » Mailing lists » Devel » Re: [patch 0/8] unprivileged mount syscall

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [patch 0/8] unprivileged mount syscall [message #18254 is a reply to message #18232]

Mon, 16 April 2007 15:55

Miklos Szeredi
Messages: 161
Registered: April 2007

Senior Member

> >> Arn't there ways to escape chroot jails? Serge had pointed me to a URL
> >> which showed chroots can be escaped. And if that is true than having all
> >> user's private mount tree in the same namespace can be a security issue?
> >
> > No.  In fact chrooting the user into /share/$USER will actually
> > _grant_ a privilege to the user, instead of taking it away.  It allows
> > the user to modify it's root namespace, which it wouldn't be able to
> > in the initial namespace.
> >
> > So even if the user could escape from the chroot (which I doubt), s/he
> > would not be able to do any harm, since unprivileged mounting would be
> > restricted to /share.  Also /share/$USER should only have read/search
> > permission for $USER or no permissions at all, which would mean, that
> > other users' namespaces would be safe from tampering as well.
> 
> A couple of points.
> - chroot can be escaped, it is just a chdir for the root directory
> it is not a security feature.  The only security is that you have to
> be root to call chdir.  A carefully done namespace setup won't have
> that issue.
> 
> - While it may not violate security as far as what a user is allowed
> to modify it may violate security as far as what a user is allowed
> to see.

I think that's just up to the permissions in the global namespace.  In
this example if you 'chmod 0 /share' there won't be anything for the
user to see.

> There are interesting per login cases as well such as allowing a
> user to replicate their mount tree from another machine when they
> log in.  When /home is on a network filesystem this can be very
> practical and can allow propagation of mounts across machines not
> just across a single login session.

Yeah, sounds interesting, but I think it's better to get the basics
working first, and then we can start to think about the extras.

Btw, there's nothing that prevents cloning the namespace _after_
chrooting into the per-user tree.  That would still be simpler than
doing it the other way round: first creating per-session namespaces
and then setting up mount propagation between them.

Miklos
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Report message to a moderator

[Message index]

		Re: [patch 0/8] unprivileged mount syscall By: ebiederm on Mon, 16 April 2007 15:40
		Re: [patch 0/8] unprivileged mount syscall By: Miklos Szeredi on Mon, 16 April 2007 15:55

Previous Topic:	[PATCH] Report that kernel is tainted if there were an OOPS before
Next Topic:	[patch 00/10] (resend) mount ownership and unprivileged mount syscall

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Tue Jul 16 23:00:50 GMT 2024

Total time taken to generate the page: 0.02961 seconds