Re: [patch 2/2] VFS: allow filesystem to override mknod capability checks
- From: Christoph Hellwig <hch@xxxxxxxxxxxxx>
- Date: Mon, 24 Sep 2007 13:38:13 +0100
On Mon, Sep 24, 2007 at 02:25:54PM +0200, Miklos Szeredi wrote:
From: Miklos Szeredi <mszeredi@xxxxxxx>
Add a new super block flag, that results in the VFS not checking if
the current process has enough privileges to do an mknod().
If this flag is set, all mounts for this super block will have the
"nodev" flag implied.
This is needed on filesystems, where an unprivileged user may be able
to create a device node, without causing security problems.
One such example is "mountlo" a loopback mount utility implemented
with fuse and UML, which runs as an unprivileged userspace process.
In this case the user does in fact have the right to create device
nodes within the filesystem image, as long as the user has write
access to the image. Since the filesystem is mounted with "nodev",
adding device nodes is not a security concern.
This one looks okay, but I'd prefer to not put it in until we actually
have proper non-privilegued mounts.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- References:
- [patch 1/2] VFS: new fgetattr() file operation
- From: Miklos Szeredi
- [patch 2/2] VFS: allow filesystem to override mknod capability checks
- From: Miklos Szeredi
- [patch 1/2] VFS: new fgetattr() file operation
- Prev by Date: Re: [patch 1/2] VFS: new fgetattr() file operation
- Next by Date: Re: Compilation problem with kernel 2.6.9
- Previous by thread: [patch 2/2] VFS: allow filesystem to override mknod capability checks
- Next by thread: Re: [patch 2/2] VFS: allow filesystem to override mknod capability checks
- Index(es):
Relevant Pages
|
