On Wed, Oct 22, 2014 at 04:24:19PM -0500, Seth Forshee wrote: > Unprivileged users are normally restricted from mounting with the > allow_other option by system policy, but this could be bypassed > for a mount done with user namespace root permissions. In such > cases allow_oth er should not allow users outside the userns > to access the mount as doing so would give the unprivileged user > the ability to manipulate processes it would otherwise be unable > to manipulate. Therefore access with allow_other should be > restricted to users in the userns as the superblock or a > descendant of that namespace.
Fine. But aren't this kind of thing supposed to be prevented anyway by having private mount namespace coupled with the pid-user-whatever namespace? It seems like being a bit too careful (not to say that that's a bad thing). Thanks, Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
