Re: [patch] unprivileged mounts update

From: "Serge E. Hallyn" <serue@xxxxxxxxxx>
Date: Wed, 25 Apr 2007 12:20:12 -0500

Quoting H. Peter Anvin (hpa@xxxxxxxxx):

Miklos Szeredi wrote:

Andrew, please skip this patch, for now.

Serge found a problem with the fsuid approach: setfsuid(nonzero) will
remove filesystem related capabilities. So even if root is trying to
set the "user=UID" flag on a mount, access to the target (and in case
of bind, the source) is checked with user privileges.

Root should be able to set this flag on any mountpoint, _regardless_
of permissions.

Right, if you're using fsuid != 0, you're not running as root

Sure, but what I'm not clear on is why, if I've done a
prctl(PR_SET_KEEPCAPS, 1) before the setfsuid, I still lose the
CAP_FS_MASK perms. I see the special case handling in
cap_task_post_setuid(). I'm sure there was a reason for it, but
this is a piece of the capability implementation I don't understand
right now.

I would send in a patch to make it honor current->keep_capabilities,
but I have a feeling there was a good reason not to do so in the
first place.

(fsuid is
the equivalent to euid for the filesystem.)

If it were really the equivalent then I could keep my capabilities :)
after changing it.

I fail to see how ruid should have *any* impact on mount(2). That seems
to be a design flaw.

May be, but just using fsuid at this point stops me from enabling user
mounts under /share if /share is chmod 000 (which it is).

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Follow-Ups:
- Re: [patch] unprivileged mounts update
  - From: Eric W. Biederman

References:
- [patch] unprivileged mounts update
  - From: Miklos Szeredi
- Re: [patch] unprivileged mounts update
  - From: Miklos Szeredi
- Re: [patch] unprivileged mounts update
  - From: H. Peter Anvin

Prev by Date: Re: mm snapshot broken-out-2007-04-25-02-49.tar.gz uploaded
Next by Date: Re: Found this in my logs
Previous by thread: Re: [patch] unprivileged mounts update
Next by thread: Re: [patch] unprivileged mounts update
Index(es):
- Date
- Thread

Relevant Pages

Re: [patch] unprivileged mounts update
... Serge found a problem with the fsuid approach: ... remove filesystem related capabilities. ... Root should be able to set this flag on any mountpoint, ... If it were really the equivalent then I could keep my capabilities:) ...
(Linux-Kernel)
Re: [patch] unprivileged mounts update
... Serge found a problem with the fsuid approach: ... remove filesystem related capabilities. ... Root should be able to set this flag on any mountpoint, ... If it were really the equivalent then I could keep my capabilities:) ...
(Linux-Kernel)
Re: [patch] unprivileged mounts update
... Serge found a problem with the fsuid approach: ... remove filesystem related capabilities. ... Root should be able to set this flag on any mountpoint, ...
(Linux-Kernel)
Another 2.6.13-ck3 locks machine after some time, 2.6.12.5 work fine
... 0000:00:00.3 Host bridge: VIA Technologies, ... Capabilities: <available only to root> ... I/O ports at b000 ...
(Linux-Kernel)
Re: patch to make Linux capabilities into something useful (v 0.3.1)
... used root, cd'ing to a colleagues source tree, su'ing to root, and who ... root privileges imply the ability to override filesystem discretionary ... Posix capabilities design.... ... But that means libc would need to know which bit positions were ...
(Linux-Kernel)