On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote: > On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > > You know, wrt. the mechanism Oleg suggested, I've been wondering if > > it's > > even necessary to capture process template information for > > execution. > > > > Isn't the main issue the execution of unknown arbitrary objects > > getting > > access to a privileged context? > > > > Then perhaps it is sufficient to require registration of an SHA hash > > (of > > some sort) for these objects by a suitably privileged process and > > only > > allow helper execution of valid objects. > > That executable probably also depends on libraries, services, and tons > of other miscellaneous stuff in its environment. The NFSv4 client > idmapper, for example, may be doing ldap calls. Unless the helper is > created with incredible care, I don't think that it's enough just to > verify that you're executing the correct helper.
Yeah, I was thinking the logistics of keeping something like this up to date would be hard but calculating this for every call would be too much overhead I think. > > --b. > > > > > If that is sufficient then helper execution from within a container > > or > > user namespace could just use the callers environment itself. > > > > What else do we need to be wary of, any thoughts Eric? > > > > Ian