Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Tue, Mar 29, 2016 at 08:36:09PM -0500, Eric W. Biederman wrote: >> Seth Forshee writes: >> >> > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> >> In general this is only an issue if uids

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Tue, Mar 29, 2016 at 08:36:09PM -0500, Eric W. Biederman wrote: >> Seth Forshee writes: >> >> > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> >> In general this is only an issue if uids and gids on the filesystem >> >> do not map into the user

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Tue, Mar 29, 2016 at 08:36:09PM -0500, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > >> In general this is only an issue if uids and gids on the filesystem > >> do not map into the user

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Tue, Mar 29, 2016 at 08:36:09PM -0500, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > >> In general this is only an issue if uids and gids on the filesystem > >> do not map into the user namespace. > >> > >>

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> In general this is only an issue if uids and gids on the filesystem >> do not map into the user namespace. >> >> Therefore the general fix is to limit the logic of checking

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> In general this is only an issue if uids and gids on the filesystem >> do not map into the user namespace. >> >> Therefore the general fix is to limit the logic of checking for >> capabilities in

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > In general this is only an issue if uids and gids on the filesystem > do not map into the user namespace. > > Therefore the general fix is to limit the logic of checking for > capabilities in s_user_ns if we are dealing with

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > In general this is only an issue if uids and gids on the filesystem > do not map into the user namespace. > > Therefore the general fix is to limit the logic of checking for > capabilities in s_user_ns if we are dealing with

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Sun, Mar 06, 2016 at 04:07:49PM -0600, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > >> Seth Forshee writes: > >> > >> > On Mon, Jan 04, 2016 at 12:03:50PM

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Sun, Mar 06, 2016 at 04:07:49PM -0600, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > >> Seth Forshee writes: > >> > >> > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: > >> >> The mounter of a

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> Seth Forshee writes: >> >> > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: >> >> The mounter of a filesystem should be privileged

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: >> Seth Forshee writes: >> >> > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: >> >> The mounter of a filesystem should be privileged towards the >> >> inodes of that filesystem. Extend the

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: > >> The mounter of a filesystem should be privileged towards the > >> inodes of that filesystem. Extend the

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Fri, Mar 04, 2016 at 04:43:06PM -0600, Eric W. Biederman wrote: > Seth Forshee writes: > > > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: > >> The mounter of a filesystem should be privileged towards the > >> inodes of that filesystem. Extend the checks in > >>

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: >> The mounter of a filesystem should be privileged towards the >> inodes of that filesystem. Extend the checks in >> inode_owner_or_capable() and capable_wrt_inode_uidgid() to >>

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

Seth Forshee writes: > On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: >> The mounter of a filesystem should be privileged towards the >> inodes of that filesystem. Extend the checks in >> inode_owner_or_capable() and capable_wrt_inode_uidgid() to >> permit access by users

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: > The mounter of a filesystem should be privileged towards the > inodes of that filesystem. Extend the checks in > inode_owner_or_capable() and capable_wrt_inode_uidgid() to > permit access by users priviliged in the user namespace of

Re: [PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

On Mon, Jan 04, 2016 at 12:03:50PM -0600, Seth Forshee wrote: > The mounter of a filesystem should be privileged towards the > inodes of that filesystem. Extend the checks in > inode_owner_or_capable() and capable_wrt_inode_uidgid() to > permit access by users priviliged in the user namespace of

[PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

The mounter of a filesystem should be privileged towards the inodes of that filesystem. Extend the checks in inode_owner_or_capable() and capable_wrt_inode_uidgid() to permit access by users priviliged in the user namespace of the inode's superblock. Signed-off-by: Seth Forshee Acked-by: Serge

[PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

The mounter of a filesystem should be privileged towards the inodes of that filesystem. Extend the checks in inode_owner_or_capable() and capable_wrt_inode_uidgid() to permit access by users priviliged in the user namespace of the inode's superblock. Signed-off-by: Seth Forshee