Re: [patch 0/8] unprivileged mount syscall

2007-04-16 Thread Ram Pai
On Fri, 2007-04-13 at 13:58 +0200, Miklos Szeredi wrote: On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote: 1. clone the master namespace. 2. in the new namespace move the tree under /share/$me to / for each ($user, $what, $how) {

Re: [patch 0/8] unprivileged mount syscall

2007-04-16 Thread Ram Pai
On Fri, 2007-04-13 at 16:05 +0200, Miklos Szeredi wrote: Thinking a bit more about this, I'm quite sure most users wouldn't even want private namespaces. It would be enough to chroot /share/$USER and be done with it. Private namespaces are only good for keeping a

Re: [patch 0/8] unprivileged mount syscall

2007-04-16 Thread Miklos Szeredi
Arn't there ways to escape chroot jails? Serge had pointed me to a URL which showed chroots can be escaped. And if that is true than having all user's private mount tree in the same namespace can be a security issue? No. In fact chrooting the user into /share/$USER will actually _grant_ a

Re: [patch 0/8] unprivileged mount syscall

2007-04-16 Thread Eric W. Biederman
Miklos Szeredi [EMAIL PROTECTED] writes: Arn't there ways to escape chroot jails? Serge had pointed me to a URL which showed chroots can be escaped. And if that is true than having all user's private mount tree in the same namespace can be a security issue? No. In fact chrooting the user

Re: [patch 0/8] unprivileged mount syscall

2007-04-16 Thread Miklos Szeredi
Arn't there ways to escape chroot jails? Serge had pointed me to a URL which showed chroots can be escaped. And if that is true than having all user's private mount tree in the same namespace can be a security issue? No. In fact chrooting the user into /share/$USER will actually

Re: [patch 0/8] unprivileged mount syscall

2007-04-15 Thread Miklos Szeredi
Thinking a bit more about this, I'm quite sure most users wouldn't even want private namespaces. It would be enough to chroot /share/$USER and be done with it. I don't think so. How to you want to implement non-shared /tmp directories? mount --bind /.tmp/$USER

Re: [patch 0/8] unprivileged mount syscall

2007-04-15 Thread Miklos Szeredi
Agreed on desired behavior, but not on chroot sufficing. It actually sounds like you want exactly what was outlined in the OLS paper. Users still need to be in a different mounts namespace from the admin user so long as we consider the deluser and backup problems I don't

Re: [patch 0/8] unprivileged mount syscall

2007-04-13 Thread Miklos Szeredi
On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote: 1. clone the master namespace. 2. in the new namespace move the tree under /share/$me to / for each ($user, $what, $how) { move /share/$user/$what to /$what if ($how == slave) {

Re: [patch 0/8] unprivileged mount syscall

2007-04-13 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote: 1. clone the master namespace. 2. in the new namespace move the tree under /share/$me to / for each ($user, $what, $how) { move

Re: [patch 0/8] unprivileged mount syscall

2007-04-13 Thread Miklos Szeredi
Thinking a bit more about this, I'm quite sure most users wouldn't even want private namespaces. It would be enough to chroot /share/$USER and be done with it. Private namespaces are only good for keeping a bunch of mounts referenced by a group of processes. But my guess

Re: [patch 0/8] unprivileged mount syscall

2007-04-13 Thread Karel Zak
On Fri, Apr 13, 2007 at 01:58:59PM +0200, Miklos Szeredi wrote: On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote: 1. clone the master namespace. 2. in the new namespace move the tree under /share/$me to / for each ($user, $what, $how) {

Re: [patch 0/8] unprivileged mount syscall

2007-04-13 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): Thinking a bit more about this, I'm quite sure most users wouldn't even want private namespaces. It would be enough to chroot /share/$USER and be done with it. Private namespaces are only good for keeping a bunch of mounts

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Miklos Szeredi
This patchset adds support for keeping mount ownership information in the kernel, and allow unprivileged mount(2) and umount(2) in certain cases. Well, I'd like to feel all smart and point out some bugs, but the code all reads very nicely, seems to work as advertised, and while I won't

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Miklos Szeredi
- users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone to do bind mounts are poorly understood. And especially so since there is no way for a filesystem

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Ian Kent
On Wed, 2007-04-11 at 12:48 +0200, Miklos Szeredi wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone to do bind mounts are poorly

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Serge E. Hallyn
Quoting Ian Kent ([EMAIL PROTECTED]): On Wed, 2007-04-11 at 12:48 +0200, Miklos Szeredi wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Ian Kent
On Wed, 2007-04-11 at 09:26 -0500, Serge E. Hallyn wrote: Quoting Ian Kent ([EMAIL PROTECTED]): On Wed, 2007-04-11 at 12:48 +0200, Miklos Szeredi wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Serge E. Hallyn
Quoting Ian Kent ([EMAIL PROTECTED]): On Wed, 2007-04-11 at 09:26 -0500, Serge E. Hallyn wrote: Quoting Ian Kent ([EMAIL PROTECTED]): On Wed, 2007-04-11 at 12:48 +0200, Miklos Szeredi wrote: - users can use bind mounts without having to pre-configure them in

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Ram Pai
On Wed, 2007-04-11 at 12:44 +0200, Miklos Szeredi wrote: 1. clone the master namespace. 2. in the new namespace move the tree under /share/$me to / for each ($user, $what, $how) { move /share/$user/$what to /$what if ($how == slave) {

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Miklos Szeredi
It would be nice in general if we could avoid any sort of checks for (mnt-mnt_ns == init_nsproxy.mnt_ns). Maybe that won't be possible, but, taking the two listed examples: [snip] It's probably worthwile going after these problematic cases, and fixing them, OTOH it's not easy to audit a

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): It would be nice in general if we could avoid any sort of checks for (mnt-mnt_ns == init_nsproxy.mnt_ns). Maybe that won't be possible, but, taking the two listed examples: [snip] It's probably worthwile going after these problematic cases,

Re: [patch 0/8] unprivileged mount syscall

2007-04-11 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): Not objecting to prctl(), but two other options would be 1. add a CLONE_NEW_NS_USERMNT flag - kind of ugly, but that is the time at which the ns is created, so in that sense it makes sense. Yes, I thought about this, but

Re: [patch 0/8] unprivileged mount syscall

2007-04-10 Thread Ram Pai
On Mon, 2007-04-09 at 22:10 +0200, Miklos Szeredi wrote: The one in pam-0.99.6.3-29.1 in opensuse-10.2 is totally broken. Are you interested in the details? I can reproduce it, but forgot to note down the details of the brokenness. I don't know how far removed that is from the one

Re: [patch 0/8] unprivileged mount syscall

2007-04-10 Thread Ian Kent
On Fri, 2007-04-06 at 16:16 -0700, H. Peter Anvin wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone to do bind mounts are poorly understood. And

Re: [patch 0/8] unprivileged mount syscall

2007-04-10 Thread Karel Zak
On Mon, Apr 09, 2007 at 10:46:25AM -0700, Ram Pai wrote: On Mon, 2007-04-09 at 12:07 -0500, Serge E. Hallyn wrote: Quoting Miklos Szeredi ([EMAIL PROTECTED]): - need to set up mount propagation from global namespace to private ones, mount(8) does not yet have options to configure

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Miklos Szeredi
One thing that is missing from this series is the ability to restrict user mounts to private namespaces. The reason is that private namespaces have still not gained the momentum and support needed for painless user experience. So such a feature would not yet get enough

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): One thing that is missing from this series is the ability to restrict user mounts to private namespaces. The reason is that private namespaces have still not gained the momentum and support needed for painless user experience. So

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Ram Pai
On Mon, 2007-04-09 at 12:07 -0500, Serge E. Hallyn wrote: Quoting Miklos Szeredi ([EMAIL PROTECTED]): - need to set up mount propagation from global namespace to private ones, mount(8) does not yet have options to configure propagation Hmm, I guess I get lost using my own little

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread H. Peter Anvin
Ram Pai wrote: It is in FC6. I dont know the status off upstream util-linux. I did submit the patch many times to Adrian Bunk (the then util-linux maintainer) and got no response. I have not pushed the patches to the new maintainer(Karel Zak?) though. Well, do that, then :) Seriously. The

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Miklos Szeredi
The one in pam-0.99.6.3-29.1 in opensuse-10.2 is totally broken. Are you interested in the details? I can reproduce it, but forgot to note down the details of the brokenness. I don't know how far removed that is from the one being used by redhat, but assuming it's the same, then

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Miklos Szeredi
One thing that is missing from this series is the ability to restrict user mounts to private namespaces. The reason is that private namespaces have still not gained the momentum and support needed for painless user experience. So such a feature would not yet get enough attention and

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): One thing that is missing from this series is the ability to restrict user mounts to private namespaces. The reason is that private namespaces have still not gained the momentum and support needed for painless user experience. So such a

Re: [patch 0/8] unprivileged mount syscall

2007-04-09 Thread Serge E. Hallyn
Quoting Miklos Szeredi ([EMAIL PROTECTED]): This patchset adds support for keeping mount ownership information in the kernel, and allow unprivileged mount(2) and umount(2) in certain cases. Well, I'd like to feel all smart and point out some bugs, but the code all reads very nicely, seems to

Re: [patch 0/8] unprivileged mount syscall

2007-04-07 Thread Miklos Szeredi
This patchset adds support for keeping mount ownership information in the kernel, and allow unprivileged mount(2) and umount(2) in certain cases. No replies, huh? All we need is a comment from Andrew, and the replies come flooding in ;) My knowledge of the code which you're touching is

Re: [patch 0/8] unprivileged mount syscall

2007-04-07 Thread Miklos Szeredi
On 4/6/07, H. Peter Anvin [EMAIL PROTECTED] wrote: Jan Engelhardt wrote: On Apr 6 2007 16:16, H. Peter Anvin wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of

Re: [patch 0/8] unprivileged mount syscall

2007-04-06 Thread Andrew Morton
On Wed, 04 Apr 2007 20:30:12 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote: This patchset adds support for keeping mount ownership information in the kernel, and allow unprivileged mount(2) and umount(2) in certain cases. No replies, huh? My knowledge of the code which you're touching is not

Re: [patch 0/8] unprivileged mount syscall

2007-04-06 Thread Jan Engelhardt
On Apr 6 2007 16:16, H. Peter Anvin wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone to do bind mounts are poorly understood. $ whoami miklos $ mount

Re: [patch 0/8] unprivileged mount syscall

2007-04-06 Thread H. Peter Anvin
Jan Engelhardt wrote: On Apr 6 2007 16:16, H. Peter Anvin wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone to do bind mounts are poorly understood. $ whoami

Re: [patch 0/8] unprivileged mount syscall

2007-04-06 Thread Eric Van Hensbergen
On 4/6/07, H. Peter Anvin [EMAIL PROTECTED] wrote: Jan Engelhardt wrote: On Apr 6 2007 16:16, H. Peter Anvin wrote: - users can use bind mounts without having to pre-configure them in /etc/fstab This is by far the biggest concern I see. I think the security implication of allowing anyone

[patch 0/8] unprivileged mount syscall

2007-04-04 Thread Miklos Szeredi
This patchset adds support for keeping mount ownership information in the kernel, and allow unprivileged mount(2) and umount(2) in certain cases. This can be useful for the following reasons: - mount(8) can store ownership (user=XY option) in the kernel instead, or in addition to storing it in