The following extra security measures are taken for unprivileged
mounts:
- usermounts are limited by a sysctl tunable
- force nosuid,nodev mount options on the created mount
The original userspace user= solution also implies the noexec
option by default (you can override the
From: Miklos Szeredi [EMAIL PROTECTED]
- refine adding nosuid and nodev flags for unprivileged mounts:
o add nosuid, only if mounter doesn't have CAP_SETUID capability
o add nodev, only if mounter doesn't have CAP_MKNOD capability
- allow unprivileged forced unmount, but only for FS_SAFE
On Wed, Apr 25, 2007 at 09:18:28AM +0200, Miklos Szeredi wrote:
The following extra security measures are taken for unprivileged
mounts:
- usermounts are limited by a sysctl tunable
- force nosuid,nodev mount options on the created mount
The original userspace user=
On Wed, Apr 25, 2007 at 05:50:55AM +0530, Karuna sagar K wrote:
On 4/24/07, Theodore Tso [EMAIL PROTECTED] wrote:
On Mon, Apr 23, 2007 at 02:53:33PM -0600, Andreas Dilger wrote:
.
It would also be good to distinguish between directories referencing
files in another chunk, and
Move generic skbuff stuff from XFRM code to generic code so that AF_RXRPC can
use it too.
The kdoc comments I've attached to the functions needs to be checked by whoever
wrote them as I had to make some guesses about the workings of these functions.
Signed-Off-By: David Howells [EMAIL PROTECTED]
The first of these patches together provide secure client-side RxRPC
connectivity as a Linux kernel socket family. Only the RxRPC transport/session
side is supplied - the presentation side (marshalling the data) is left to the
client. Copies of the patches can be found here:
del_timer_sync() buys nothing for cancel_delayed_work(), but it is less
efficient since it locks the timer unconditionally, and may wait for the
completion of the delayed_work_timer_fn().
cancel_delayed_work() == 0 means:
before this patch:
work-func may still be running
Export try_to_del_timer_sync() for use by the AF_RXRPC module.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
kernel/timer.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/timer.c b/kernel/timer.c
index dd6c2c1..b22bd39 100644
--- a/kernel/timer.c
+++
Export the keyring key type definition and document its availability.
Add alternative types into the key's type_data union to make it more useful.
Not all users necessarily want to use it as a list_head (AF_RXRPC doesn't, for
example), so make it clear that it can be used in other ways.
Handle multiple mounts of an AFS superblock correctly, checking to see whether
the superblock is already initialised after calling sget() rather than just
unconditionally stamping all over it.
Also delete the silent parameter to afs_fill_super() as it's not used and
can, in any case, be obtained
[NETLINK]: Mirror UDP MSG_TRUNC semantics.
If the user passes MSG_TRUNC in via msg_flags, return
the full packet size not the truncated size.
Idea from Herbert Xu and Thomas Graf.
Signed-off-by: David S. Miller [EMAIL PROTECTED]
---
net/netlink/af_netlink.c |3 +++
1 files
On Tue, Apr 24, 2007 at 04:53:11PM -0500, Amit Gud wrote:
Nikita Danilov wrote:
Maybe I failed to describe the problem presicely.
Suppose that all chunks have been checked. After that, for every inode
I0 having continuations I1, I2, ... In, one has to check that every
logical block is
Implement the CB.InitCallBackState3 operation for the fileserver to call.
This reduces the amount of network traffic because if this op is aborted, the
fileserver will then attempt an CB.InitCallBackState operation.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/afs/AFS_CM.h|1 +
Add support for the CB.GetCapabilities operation with which the fileserver can
ask the client for the following information:
(1) The list of network interfaces it has available as IPv4 address + netmask
plus the MTUs.
(2) The client's UUID.
(3) The extended capabilities of the client,
Update the AFS fs documentation.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
Documentation/filesystems/afs.txt | 214 +++--
1 files changed, 154 insertions(+), 60 deletions(-)
diff --git a/Documentation/filesystems/afs.txt
On 4/23/07, Avishay Traeger [EMAIL PROTECTED] wrote:
On Mon, 2007-04-23 at 02:16 +0530, Karuna sagar K wrote:
snip
You may want to check out the paper EXPLODE: A Lightweight, General
System for Finding Serious Storage System Errors from OSDI 2006 (if you
haven't already). The idea sounds very
From: Miklos Szeredi [EMAIL PROTECTED]
- refine adding nosuid and nodev flags for unprivileged mounts:
o add nosuid, only if mounter doesn't have CAP_SETUID capability
o add nodev, only if mounter doesn't have CAP_MKNOD capability
- allow unprivileged forced unmount, but only for
The first of these patches together provide secure client-side RxRPC
connectivity as a Linux kernel socket family. Only the RxRPC transport/session
side is supplied - the presentation side (marshalling the data) is left to the
client. Copies of the patches can be found here:
del_timer_sync() buys nothing for cancel_delayed_work(), but it is less
efficient since it locks the timer unconditionally, and may wait for the
completion of the delayed_work_timer_fn().
cancel_delayed_work() == 0 means:
before this patch:
work-func may still be running
Handle multiple mounts of an AFS superblock correctly, checking to see whether
the superblock is already initialised after calling sget() rather than just
unconditionally stamping all over it.
Also delete the silent parameter to afs_fill_super() as it's not used and
can, in any case, be obtained
Implement the CB.InitCallBackState3 operation for the fileserver to call.
This reduces the amount of network traffic because if this op is aborted, the
fileserver will then attempt an CB.InitCallBackState operation.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/afs/afs_cm.h|1 +
[NETLINK]: Mirror UDP MSG_TRUNC semantics.
If the user passes MSG_TRUNC in via msg_flags, return
the full packet size not the truncated size.
Idea from Herbert Xu and Thomas Graf.
Signed-off-by: David S. Miller [EMAIL PROTECTED]
---
net/netlink/af_netlink.c |3 +++
1 files
Add support for the CB.GetCapabilities operation with which the fileserver can
ask the client for the following information:
(1) The list of network interfaces it has available as IPv4 address + netmask
plus the MTUs.
(2) The client's UUID.
(3) The extended capabilities of the client,
Export the keyring key type definition and document its availability.
Add alternative types into the key's type_data union to make it more useful.
Not all users necessarily want to use it as a list_head (AF_RXRPC doesn't, for
example), so make it clear that it can be used in other ways.
Export try_to_del_timer_sync() for use by the AF_RXRPC module.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
kernel/timer.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/timer.c b/kernel/timer.c
index dd6c2c1..b22bd39 100644
--- a/kernel/timer.c
+++
Move generic skbuff stuff from XFRM code to generic code so that AF_RXRPC can
use it too.
The kdoc comments I've attached to the functions needs to be checked by whoever
wrote them as I had to make some guesses about the workings of these functions.
Signed-Off-By: David Howells [EMAIL PROTECTED]
Miklos Szeredi wrote:
Andrew, please skip this patch, for now.
Serge found a problem with the fsuid approach: setfsuid(nonzero) will
remove filesystem related capabilities. So even if root is trying to
set the user=UID flag on a mount, access to the target (and in case
of bind, the
On Wed, 25 Apr 2007, Nikita Danilov wrote:
David Lang writes:
On Tue, 24 Apr 2007, Nikita Danilov wrote:
David Lang writes:
On Tue, 24 Apr 2007, Nikita Danilov wrote:
Amit Gud writes:
Hello,
This is an initial implementation of ChunkFS technique, briefly
Quoting H. Peter Anvin ([EMAIL PROTECTED]):
Miklos Szeredi wrote:
Andrew, please skip this patch, for now.
Serge found a problem with the fsuid approach: setfsuid(nonzero) will
remove filesystem related capabilities. So even if root is trying to
set the user=UID flag on a mount,
Miklos Szeredi [EMAIL PROTECTED] writes:
From: Miklos Szeredi [EMAIL PROTECTED]
- refine adding nosuid and nodev flags for unprivileged mounts:
o add nosuid, only if mounter doesn't have CAP_SETUID capability
o add nodev, only if mounter doesn't have CAP_MKNOD capability
- allow
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Miklos Szeredi [EMAIL PROTECTED] writes:
From: Miklos Szeredi [EMAIL PROTECTED]
- refine adding nosuid and nodev flags for unprivileged mounts:
o add nosuid, only if mounter doesn't have CAP_SETUID capability
o add nodev, only if
Serge E. Hallyn [EMAIL PROTECTED] writes:
Quoting H. Peter Anvin ([EMAIL PROTECTED]):
Miklos Szeredi wrote:
Andrew, please skip this patch, for now.
Serge found a problem with the fsuid approach: setfsuid(nonzero) will
remove filesystem related capabilities. So even if root is
Andreas Dilger wrote:
How do you recover if fsfuzzer takes out a cnode in the chain? The
chunk is marked clean, but clearly corrupted and needs fixing and
you don't know what it was pointing at. Hence you have a pointer to
a trashed cnode *somewhere* that you need to find and fix, and a
bunch
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
Quoting H. Peter Anvin ([EMAIL PROTECTED]):
Miklos Szeredi wrote:
Andrew, please skip this patch, for now.
Serge found a problem with the fsuid approach: setfsuid(nonzero) will
remove
Serge E. Hallyn [EMAIL PROTECTED] writes:
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Are there other permission checks that mount is doing that we
care about.
Not mount itself, but in looking up /share/fa/root/home/fa,
user fa doesn't have the rights to read /share, and by setting
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Are there other permission checks that mount is doing that we
care about.
Not mount itself, but in looking up /share/fa/root/home/fa,
user fa
On Wed, 25 Apr 2007 17:18:12 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:
From: Miklos Szeredi [EMAIL PROTECTED]
- refine adding nosuid and nodev flags for unprivileged mounts:
o add nosuid, only if mounter doesn't have CAP_SETUID capability
o add nodev, only if mounter
Right, I figure if the normal action is to always do
mnt-user = current-fsuid, then for the special case we
pass a uid in someplace. Of course... do we not have a
place to do that? Would it be a no-no to use 'data' for
a non-fs-specific arg?
I guess it would be OK for bind, but not for
From: David Howells [EMAIL PROTECTED]
Date: Wed, 25 Apr 2007 14:38:32 +0100
I think the idea is for them (or at least some of them) to go
through one of DaveM's net git trees anyway.
Then please generate your patches against my net-2.6.21 GIT
tree. Most of your initial patches in the series
I'll be dropping all the unprivileged-mounts stuff - it looks like
it was a bit early, and that a new patch series against 2.6.27-rc1
Yeah, I guess we can wait a few more years ;) -^^^
Miklos
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of
David Miller [EMAIL PROTECTED] wrote:
Then please generate your patches against my net-2.6.21 GIT
tree. Most of your initial patches in the series (the SKB
routine one for example) are already in my tree.
Do you mean your net-2.6.22 GIT tree?
Do you want me to make it available as a GIT
From: David Howells [EMAIL PROTECTED]
Date: Wed, 25 Apr 2007 20:56:47 +0100
David Miller [EMAIL PROTECTED] wrote:
Then please generate your patches against my net-2.6.21 GIT
tree. Most of your initial patches in the series (the SKB
routine one for example) are already in my tree.
Do
On Tue, Apr 24, 2007 at 11:34:48PM +0400, Nikita Danilov wrote:
Maybe I failed to describe the problem presicely.
Suppose that all chunks have been checked. After that, for every inode
I0 having continuations I1, I2, ... In, one has to check that every
logical block is presented in at most
On Wed, Apr 25, 2007 at 03:34:03PM +0400, Nikita Danilov wrote:
What is more important, design puts (as far as I can see) no upper limit
on the number of continuation inodes, and hence, even if _average_ fsck
time is greatly reduced, occasionally it can take more time than ext2 of
the same
On Wed, Apr 25, 2007 at 08:54:34PM +1000, David Chinner wrote:
On Tue, Apr 24, 2007 at 04:53:11PM -0500, Amit Gud wrote:
The structure looks like this:
-- --
| cnode 0 |--| cnode 0 |-- to another cnode or NULL
-- --
On Wed, Apr 25, 2007 at 05:38:34AM -0600, Andreas Dilger wrote:
The case where only a fsck of the corrupt chunk is done would not find the
cnode references. Maybe there needs to be per-chunk info which contains
a list/bitmap of other chunks that have cnodes shared with each chunk?
Yes,
On Wed, Apr 25, 2007 at 04:03:44PM -0700, Valerie Henson wrote:
On Wed, Apr 25, 2007 at 08:54:34PM +1000, David Chinner wrote:
On Tue, Apr 24, 2007 at 04:53:11PM -0500, Amit Gud wrote:
The structure looks like this:
-- --
| cnode 0 |--|
47 matches
Mail list logo