subject:"Re\: \[patch 2\/8\] allow unprivileged umount"

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

> > Does this mean, that containers will need this?  Or that you don't
> > know yet?
> 
> The uid namespace is something we have to handle carefully and we
> have not decided on the final design.
> 
> What is clear is that all permission checks will need to become
> either (uid namspace, uid) tuple comparisons.  Or struct user
> pointer comparisons.  To see if we are talking about the same
> uid.
> 
> So the eventual uid namespace combined with the possibility
> for rlimits if we use struct user *.  See to make using a struct
> user a clear win.

OK, if we don't yet know, I'd rather leave this for later.  It will be
trivial to change to user_struct if we want per-user rlimits.

> >> storing a user struct on each mount point seems sane, plus it allows
> >> per user mount rlimits which is major plus.  Especially since we
> >> seem to be doing accounting only for user mounts a per user rlimit
> >> seems good.
> >
> > I'm not against per-user rlimits for mounts, but I'd rather do this
> > later...
> 
> Then let's add a non-discriminate limit.  Instead of a limit that
> applies only to root.

See reply to relevant patch.

> >> To get the user we should be user fs_uid as HPA suggested.
> >
> > fsuid is exclusively used for checking file permissions, which we
> > don't do here anymore.  So while it could be argued, that mount() _is_
> > a filesystem operation, it is really a different sort of filesystem
> > operation than the rest.
> >
> > OTOH it wouldn't hurt to use fsuid instead of ruid...
> 
> Yes.  I may be confused but I'm pretty certain we want either
> the fsuid or the euid to be the mount owner.  ruid just looks wrong.
> The fsuid is a special case of the effective uid.  Which is who
> we should perform operations as.  Unless I'm just confused.

Definitely not euid.  Euid is the one which is effective, i.e. it will
basically always be zero for a privileged mount().

Ruid is the one which is returned by getuid().  If a user execs a
suid-root program, then ruid will be the id of the user, while euid
will be zero.


> >> Finally I'm pretty certain the capability we should care about in
> >> this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
> >> 
> >> If we have CAP_SETUID we can become which ever user owns the mount,
> >> and the root user in a container needs this, so he can run login
> >> programs.  So changing the appropriate super user checks from
> >> CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.
> >
> > That's a flawed logic.  If you want to mount as a specific user, and
> > you have CAP_SETUID, then just use set*uid() and then mount().
> 
> Totally agreed for mount.
> 
> > Changing the capability check for mount() would break the userspace
> > ABI.
> 
> Sorry I apparently wasn't clear.  CAP_SETUID should be the capability
> check for umount.

The argument applies to umount as well.  For compatibility, we _need_
the CAP_SYS_ADMIN check.  And if program has CAP_SETUID but not
CAP_SYS_ADMIN, it can just set the id to the mount owner before
calling umount.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Eric W. Biederman

Miklos Szeredi <[EMAIL PROTECTED]> writes:

> Does this mean, that containers will need this?  Or that you don't
> know yet?

The uid namespace is something we have to handle carefully and we
have not decided on the final design.

What is clear is that all permission checks will need to become
either (uid namspace, uid) tuple comparisons.  Or struct user
pointer comparisons.  To see if we are talking about the same
uid.

So the eventual uid namespace combined with the possibility
for rlimits if we use struct user *.  See to make using a struct
user a clear win.

>> storing a user struct on each mount point seems sane, plus it allows
>> per user mount rlimits which is major plus.  Especially since we
>> seem to be doing accounting only for user mounts a per user rlimit
>> seems good.
>
> I'm not against per-user rlimits for mounts, but I'd rather do this
> later...

Then let's add a non-discriminate limit.  Instead of a limit that
applies only to root.

>> To get the user we should be user fs_uid as HPA suggested.
>
> fsuid is exclusively used for checking file permissions, which we
> don't do here anymore.  So while it could be argued, that mount() _is_
> a filesystem operation, it is really a different sort of filesystem
> operation than the rest.
>
> OTOH it wouldn't hurt to use fsuid instead of ruid...

Yes.  I may be confused but I'm pretty certain we want either
the fsuid or the euid to be the mount owner.  ruid just looks wrong.
The fsuid is a special case of the effective uid.  Which is who
we should perform operations as.  Unless I'm just confused.

>> Finally I'm pretty certain the capability we should care about in
>> this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
>> 
>> If we have CAP_SETUID we can become which ever user owns the mount,
>> and the root user in a container needs this, so he can run login
>> programs.  So changing the appropriate super user checks from
>> CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.
>
> That's a flawed logic.  If you want to mount as a specific user, and
> you have CAP_SETUID, then just use set*uid() and then mount().

Totally agreed for mount.

> Changing the capability check for mount() would break the userspace
> ABI.

Sorry I apparently wasn't clear.  CAP_SETUID should be the capability
check for umount.

Hopefully my other more detail replies helped with this.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

>   I suspect we can allow MNT_FORCE for non-privileged users 
>   as well if we can trust the filesystem.

I don't think so.  MNT_FORCE has side effects on the superblock.  So a
user shouldn't be able to force an unmount on a bind mount s/he did,
but there's no problem with allowing plain/lazy unmounts.

We could possibly allow MNT_FORCE, for FS_SAFE filesystems.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

> > On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi <[EMAIL PROTECTED]> wrote:
> >
> >> > > +static bool permit_umount(struct vfsmount *mnt, int flags)
> >> > > +{
> >> > >
> >> > > ...
> >> > >
> >> > > +  return mnt->mnt_uid == current->uid;
> >> > > +}
> >> > 
> >> > Yes, this seems very wrong.  I'd have thought that comparing 
> >> > user_struct*'s
> >> > would get us a heck of a lot closer to being able to support aliasing of
> >> > UIDs between different namespaces.
> >> > 
> >> 
> >> OK, I'll fix this up.
> >> 
> >> Actually an earlier version of this patch did use user_struct's but
> >> I'd changed it to uids, because it's simpler.
> >
> > OK..
> >
> >>  I didn't think about
> >> this being contrary to the id namespaces thing.
> >
> > Well I was madly assuming that when serarate UID namespaces are in use, UID
> > 42 in container A will have a different user_struct from UID 42 in
> > container B.  I'd suggest that we provoke an opinion from Eric & co before
> > you do work on this.
> 
> That is what I what I have been thinking as well,

Does this mean, that containers will need this?  Or that you don't
know yet?

> storing a user struct on each mount point seems sane, plus it allows
> per user mount rlimits which is major plus.  Especially since we
> seem to be doing accounting only for user mounts a per user rlimit
> seems good.

I'm not against per-user rlimits for mounts, but I'd rather do this
later...

> To get the user we should be user fs_uid as HPA suggested.

fsuid is exclusively used for checking file permissions, which we
don't do here anymore.  So while it could be argued, that mount() _is_
a filesystem operation, it is really a different sort of filesystem
operation than the rest.

OTOH it wouldn't hurt to use fsuid instead of ruid...

> Finally I'm pretty certain the capability we should care about in
> this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
> 
> If we have CAP_SETUID we can become which ever user owns the mount,
> and the root user in a container needs this, so he can run login
> programs.  So changing the appropriate super user checks from
> CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.

That's a flawed logic.  If you want to mount as a specific user, and
you have CAP_SETUID, then just use set*uid() and then mount().

Changing the capability check for mount() would break the userspace
ABI.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

  On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:
 
+static bool permit_umount(struct vfsmount *mnt, int flags)
+{
   
...
   
+  return mnt-mnt_uid == current-uid;
+}
   
   Yes, this seems very wrong.  I'd have thought that comparing 
   user_struct*'s
   would get us a heck of a lot closer to being able to support aliasing of
   UIDs between different namespaces.
   
  
  OK, I'll fix this up.
  
  Actually an earlier version of this patch did use user_struct's but
  I'd changed it to uids, because it's simpler.
 
  OK..
 
   I didn't think about
  this being contrary to the id namespaces thing.
 
  Well I was madly assuming that when serarate UID namespaces are in use, UID
  42 in container A will have a different user_struct from UID 42 in
  container B.  I'd suggest that we provoke an opinion from Eric  co before
  you do work on this.
 
 That is what I what I have been thinking as well,

Does this mean, that containers will need this?  Or that you don't
know yet?

 storing a user struct on each mount point seems sane, plus it allows
 per user mount rlimits which is major plus.  Especially since we
 seem to be doing accounting only for user mounts a per user rlimit
 seems good.

I'm not against per-user rlimits for mounts, but I'd rather do this
later...

 To get the user we should be user fs_uid as HPA suggested.

fsuid is exclusively used for checking file permissions, which we
don't do here anymore.  So while it could be argued, that mount() _is_
a filesystem operation, it is really a different sort of filesystem
operation than the rest.

OTOH it wouldn't hurt to use fsuid instead of ruid...

 Finally I'm pretty certain the capability we should care about in
 this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
 
 If we have CAP_SETUID we can become which ever user owns the mount,
 and the root user in a container needs this, so he can run login
 programs.  So changing the appropriate super user checks from
 CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.

That's a flawed logic.  If you want to mount as a specific user, and
you have CAP_SETUID, then just use set*uid() and then mount().

Changing the capability check for mount() would break the userspace
ABI.

Miklos
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

   I suspect we can allow MNT_FORCE for non-privileged users 
   as well if we can trust the filesystem.

I don't think so.  MNT_FORCE has side effects on the superblock.  So a
user shouldn't be able to force an unmount on a bind mount s/he did,
but there's no problem with allowing plain/lazy unmounts.

We could possibly allow MNT_FORCE, for FS_SAFE filesystems.

Miklos
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Eric W. Biederman

Miklos Szeredi [EMAIL PROTECTED] writes:

 Does this mean, that containers will need this?  Or that you don't
 know yet?

The uid namespace is something we have to handle carefully and we
have not decided on the final design.

What is clear is that all permission checks will need to become
either (uid namspace, uid) tuple comparisons.  Or struct user
pointer comparisons.  To see if we are talking about the same
uid.

So the eventual uid namespace combined with the possibility
for rlimits if we use struct user *.  See to make using a struct
user a clear win.

 storing a user struct on each mount point seems sane, plus it allows
 per user mount rlimits which is major plus.  Especially since we
 seem to be doing accounting only for user mounts a per user rlimit
 seems good.

 I'm not against per-user rlimits for mounts, but I'd rather do this
 later...

Then let's add a non-discriminate limit.  Instead of a limit that
applies only to root.

 To get the user we should be user fs_uid as HPA suggested.

 fsuid is exclusively used for checking file permissions, which we
 don't do here anymore.  So while it could be argued, that mount() _is_
 a filesystem operation, it is really a different sort of filesystem
 operation than the rest.

 OTOH it wouldn't hurt to use fsuid instead of ruid...

Yes.  I may be confused but I'm pretty certain we want either
the fsuid or the euid to be the mount owner.  ruid just looks wrong.
The fsuid is a special case of the effective uid.  Which is who
we should perform operations as.  Unless I'm just confused.

 Finally I'm pretty certain the capability we should care about in
 this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
 
 If we have CAP_SETUID we can become which ever user owns the mount,
 and the root user in a container needs this, so he can run login
 programs.  So changing the appropriate super user checks from
 CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.

 That's a flawed logic.  If you want to mount as a specific user, and
 you have CAP_SETUID, then just use set*uid() and then mount().

Totally agreed for mount.

 Changing the capability check for mount() would break the userspace
 ABI.

Sorry I apparently wasn't clear.  CAP_SETUID should be the capability
check for umount.

Hopefully my other more detail replies helped with this.

Eric
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-22 Thread Miklos Szeredi

  Does this mean, that containers will need this?  Or that you don't
  know yet?
 
 The uid namespace is something we have to handle carefully and we
 have not decided on the final design.
 
 What is clear is that all permission checks will need to become
 either (uid namspace, uid) tuple comparisons.  Or struct user
 pointer comparisons.  To see if we are talking about the same
 uid.
 
 So the eventual uid namespace combined with the possibility
 for rlimits if we use struct user *.  See to make using a struct
 user a clear win.

OK, if we don't yet know, I'd rather leave this for later.  It will be
trivial to change to user_struct if we want per-user rlimits.

  storing a user struct on each mount point seems sane, plus it allows
  per user mount rlimits which is major plus.  Especially since we
  seem to be doing accounting only for user mounts a per user rlimit
  seems good.
 
  I'm not against per-user rlimits for mounts, but I'd rather do this
  later...
 
 Then let's add a non-discriminate limit.  Instead of a limit that
 applies only to root.

See reply to relevant patch.

  To get the user we should be user fs_uid as HPA suggested.
 
  fsuid is exclusively used for checking file permissions, which we
  don't do here anymore.  So while it could be argued, that mount() _is_
  a filesystem operation, it is really a different sort of filesystem
  operation than the rest.
 
  OTOH it wouldn't hurt to use fsuid instead of ruid...
 
 Yes.  I may be confused but I'm pretty certain we want either
 the fsuid or the euid to be the mount owner.  ruid just looks wrong.
 The fsuid is a special case of the effective uid.  Which is who
 we should perform operations as.  Unless I'm just confused.

Definitely not euid.  Euid is the one which is effective, i.e. it will
basically always be zero for a privileged mount().

Ruid is the one which is returned by getuid().  If a user execs a
suid-root program, then ruid will be the id of the user, while euid
will be zero.


  Finally I'm pretty certain the capability we should care about in
  this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.
  
  If we have CAP_SETUID we can become which ever user owns the mount,
  and the root user in a container needs this, so he can run login
  programs.  So changing the appropriate super user checks from
  CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.
 
  That's a flawed logic.  If you want to mount as a specific user, and
  you have CAP_SETUID, then just use set*uid() and then mount().
 
 Totally agreed for mount.
 
  Changing the capability check for mount() would break the userspace
  ABI.
 
 Sorry I apparently wasn't clear.  CAP_SETUID should be the capability
 check for umount.

The argument applies to umount as well.  For compatibility, we _need_
the CAP_SYS_ADMIN check.  And if program has CAP_SETUID but not
CAP_SYS_ADMIN, it can just set the id to the mount owner before
calling umount.

Miklos
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Eric W. Biederman

Miklos Szeredi <[EMAIL PROTECTED]> writes:

> From: Miklos Szeredi <[EMAIL PROTECTED]>
>
> The owner doesn't need sysadmin capabilities to call umount().
>
> Similar behavior as umount(8) on mounts having "user=UID" option in
> /etc/mtab.  The difference is that umount also checks /etc/fstab,
> presumably to exclude another mount on the same mountpoint.
>
> Signed-off-by: Miklos Szeredi <[EMAIL PROTECTED]>
> ---
>
> Index: linux/fs/namespace.c
> ===
> --- linux.orig/fs/namespace.c 2007-04-20 11:55:05.0 +0200
> +++ linux/fs/namespace.c  2007-04-20 11:55:06.0 +0200
> @@ -659,6 +659,25 @@ static int do_umount(struct vfsmount *mn
>  }
>  
>  /*
> + * umount is permitted for
> + *  - sysadmin
> + *  - mount owner, if not forced umount
> + */
> +static bool permit_umount(struct vfsmount *mnt, int flags)
> +{
> + if (capable(CAP_SYS_ADMIN))
> + return true;
> +
> + if (!(mnt->mnt_flags & MNT_USER))
> + return false;
> +
> + if (flags & MNT_FORCE)
> + return false;
> +
> + return mnt->mnt_uid == current->uid;
> +}

I think this should be:

static bool permit_umount(struct vfsmount *mnt, int flags)
{
if ((mnt->mnt_uid != current->fsuid) && !capable(CAP_SETUID))
return false;

if ((flags & MNT_FORCE) && !capable(CAP_SYS_ADMIN))
return false;

return true;
}

I.e. 
  MNT_USER gone.
  compare against fsuid.
  Only require setuid for unmounts unless force is specified.

  I suspect we can allow MNT_FORCE for non-privileged users 
  as well if we can trust the filesystem.

> +/*
>   * Now umount can handle mount points as well as block devices.
>   * This is important for filesystems which use unnamed block devices.
>   *
> @@ -681,7 +700,7 @@ asmlinkage long sys_umount(char __user *
>   goto dput_and_out;
>  
>   retval = -EPERM;
> - if (!capable(CAP_SYS_ADMIN))
> + if (!permit_umount(nd.mnt, flags))
>   goto dput_and_out;
>  
>   retval = do_umount(nd.mnt, flags);
>
> --
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Eric W. Biederman

Andrew Morton <[EMAIL PROTECTED]> writes:

> On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi <[EMAIL PROTECTED]> wrote:
>
>> > > +static bool permit_umount(struct vfsmount *mnt, int flags)
>> > > +{
>> > >
>> > > ...
>> > >
>> > > +return mnt->mnt_uid == current->uid;
>> > > +}
>> > 
>> > Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
>> > would get us a heck of a lot closer to being able to support aliasing of
>> > UIDs between different namespaces.
>> > 
>> 
>> OK, I'll fix this up.
>> 
>> Actually an earlier version of this patch did use user_struct's but
>> I'd changed it to uids, because it's simpler.
>
> OK..
>
>>  I didn't think about
>> this being contrary to the id namespaces thing.
>
> Well I was madly assuming that when serarate UID namespaces are in use, UID
> 42 in container A will have a different user_struct from UID 42 in
> container B.  I'd suggest that we provoke an opinion from Eric & co before
> you do work on this.

That is what I what I have been thinking as well, storing a user
struct on each mount point seems sane, plus it allows per user mount
rlimits which is major plus.  Especially since we seem to be doing
accounting only for user mounts a per user rlimit seems good.

To get the user we should be user fs_uid as HPA suggested.

Finally I'm pretty certain the capability we should care about in
this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.

If we have CAP_SETUID we can become which ever user owns the mount,
and the root user in a container needs this, so he can run login
programs.  So changing the appropriate super user checks from
CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.

With the CAP_SETUID thing handled I'm not currently seeing any adverse
implications to using this in containers.

Ok.  Now that I have a reasonable approximation of the 10,000 foot
view now to see how the patches match up.

Eric

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Andrew Morton

On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi <[EMAIL PROTECTED]> wrote:

> > > +static bool permit_umount(struct vfsmount *mnt, int flags)
> > > +{
> > >
> > > ...
> > >
> > > + return mnt->mnt_uid == current->uid;
> > > +}
> > 
> > Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
> > would get us a heck of a lot closer to being able to support aliasing of
> > UIDs between different namespaces.
> > 
> 
> OK, I'll fix this up.
> 
> Actually an earlier version of this patch did use user_struct's but
> I'd changed it to uids, because it's simpler.

OK..

>  I didn't think about
> this being contrary to the id namespaces thing.

Well I was madly assuming that when serarate UID namespaces are in use, UID
42 in container A will have a different user_struct from UID 42 in
container B.  I'd suggest that we provoke an opinion from Eric & co before
you do work on this.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Miklos Szeredi

> > +static bool permit_umount(struct vfsmount *mnt, int flags)
> > +{
> >
> > ...
> >
> > +   return mnt->mnt_uid == current->uid;
> > +}
> 
> Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
> would get us a heck of a lot closer to being able to support aliasing of
> UIDs between different namespaces.
> 

OK, I'll fix this up.

Actually an earlier version of this patch did use user_struct's but
I'd changed it to uids, because it's simpler.  I didn't think about
this being contrary to the id namespaces thing.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread H. Peter Anvin


Andrew Morton wrote:

On Fri, 20 Apr 2007 12:25:34 +0200 Miklos Szeredi <[EMAIL PROTECTED]> wrote:


+static bool permit_umount(struct vfsmount *mnt, int flags)
+{

...

+   return mnt->mnt_uid == current->uid;
+}


Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
would get us a heck of a lot closer to being able to support aliasing of
UIDs between different namespaces.



Not to mention it should be fsuid, not uid.

-hpa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Andrew Morton

On Fri, 20 Apr 2007 12:25:34 +0200 Miklos Szeredi <[EMAIL PROTECTED]> wrote:

> +static bool permit_umount(struct vfsmount *mnt, int flags)
> +{
>
> ...
>
> + return mnt->mnt_uid == current->uid;
> +}

Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
would get us a heck of a lot closer to being able to support aliasing of
UIDs between different namespaces.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Andrew Morton

On Fri, 20 Apr 2007 12:25:34 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:

 +static bool permit_umount(struct vfsmount *mnt, int flags)
 +{

 ...

 + return mnt-mnt_uid == current-uid;
 +}

Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
would get us a heck of a lot closer to being able to support aliasing of
UIDs between different namespaces.

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread H. Peter Anvin


Andrew Morton wrote:

On Fri, 20 Apr 2007 12:25:34 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:


+static bool permit_umount(struct vfsmount *mnt, int flags)
+{

...

+   return mnt-mnt_uid == current-uid;
+}


Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
would get us a heck of a lot closer to being able to support aliasing of
UIDs between different namespaces.



Not to mention it should be fsuid, not uid.

-hpa
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Miklos Szeredi

  +static bool permit_umount(struct vfsmount *mnt, int flags)
  +{
 
  ...
 
  +   return mnt-mnt_uid == current-uid;
  +}
 
 Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
 would get us a heck of a lot closer to being able to support aliasing of
 UIDs between different namespaces.
 

OK, I'll fix this up.

Actually an earlier version of this patch did use user_struct's but
I'd changed it to uids, because it's simpler.  I didn't think about
this being contrary to the id namespaces thing.

Miklos
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Andrew Morton

On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:

   +static bool permit_umount(struct vfsmount *mnt, int flags)
   +{
  
   ...
  
   + return mnt-mnt_uid == current-uid;
   +}
  
  Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
  would get us a heck of a lot closer to being able to support aliasing of
  UIDs between different namespaces.
  
 
 OK, I'll fix this up.
 
 Actually an earlier version of this patch did use user_struct's but
 I'd changed it to uids, because it's simpler.

OK..

  I didn't think about
 this being contrary to the id namespaces thing.

Well I was madly assuming that when serarate UID namespaces are in use, UID
42 in container A will have a different user_struct from UID 42 in
container B.  I'd suggest that we provoke an opinion from Eric  co before
you do work on this.

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Eric W. Biederman

Andrew Morton [EMAIL PROTECTED] writes:

 On Sat, 21 Apr 2007 10:09:42 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:

   +static bool permit_umount(struct vfsmount *mnt, int flags)
   +{
  
   ...
  
   +return mnt-mnt_uid == current-uid;
   +}
  
  Yes, this seems very wrong.  I'd have thought that comparing user_struct*'s
  would get us a heck of a lot closer to being able to support aliasing of
  UIDs between different namespaces.
  
 
 OK, I'll fix this up.
 
 Actually an earlier version of this patch did use user_struct's but
 I'd changed it to uids, because it's simpler.

 OK..

  I didn't think about
 this being contrary to the id namespaces thing.

 Well I was madly assuming that when serarate UID namespaces are in use, UID
 42 in container A will have a different user_struct from UID 42 in
 container B.  I'd suggest that we provoke an opinion from Eric  co before
 you do work on this.

That is what I what I have been thinking as well, storing a user
struct on each mount point seems sane, plus it allows per user mount
rlimits which is major plus.  Especially since we seem to be doing
accounting only for user mounts a per user rlimit seems good.

To get the user we should be user fs_uid as HPA suggested.

Finally I'm pretty certain the capability we should care about in
this context is CAP_SETUID.  Instead of CAP_SYS_ADMIN.

If we have CAP_SETUID we can become which ever user owns the mount,
and the root user in a container needs this, so he can run login
programs.  So changing the appropriate super user checks from
CAP_SYS_ADMIN to CAP_SETUID I think is the right thing todo.

With the CAP_SETUID thing handled I'm not currently seeing any adverse
implications to using this in containers.

Ok.  Now that I have a reasonable approximation of the 10,000 foot
view now to see how the patches match up.

Eric


-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

2007-04-21 Thread Eric W. Biederman

Miklos Szeredi [EMAIL PROTECTED] writes:

 From: Miklos Szeredi [EMAIL PROTECTED]

 The owner doesn't need sysadmin capabilities to call umount().

 Similar behavior as umount(8) on mounts having user=UID option in
 /etc/mtab.  The difference is that umount also checks /etc/fstab,
 presumably to exclude another mount on the same mountpoint.

 Signed-off-by: Miklos Szeredi [EMAIL PROTECTED]
 ---

 Index: linux/fs/namespace.c
 ===
 --- linux.orig/fs/namespace.c 2007-04-20 11:55:05.0 +0200
 +++ linux/fs/namespace.c  2007-04-20 11:55:06.0 +0200
 @@ -659,6 +659,25 @@ static int do_umount(struct vfsmount *mn
  }
  
  /*
 + * umount is permitted for
 + *  - sysadmin
 + *  - mount owner, if not forced umount
 + */
 +static bool permit_umount(struct vfsmount *mnt, int flags)
 +{
 + if (capable(CAP_SYS_ADMIN))
 + return true;
 +
 + if (!(mnt-mnt_flags  MNT_USER))
 + return false;
 +
 + if (flags  MNT_FORCE)
 + return false;
 +
 + return mnt-mnt_uid == current-uid;
 +}

I think this should be:

static bool permit_umount(struct vfsmount *mnt, int flags)
{
if ((mnt-mnt_uid != current-fsuid)  !capable(CAP_SETUID))
return false;

if ((flags  MNT_FORCE)  !capable(CAP_SYS_ADMIN))
return false;

return true;
}

I.e. 
  MNT_USER gone.
  compare against fsuid.
  Only require setuid for unmounts unless force is specified.

  I suspect we can allow MNT_FORCE for non-privileged users 
  as well if we can trust the filesystem.

 +/*
   * Now umount can handle mount points as well as block devices.
   * This is important for filesystems which use unnamed block devices.
   *
 @@ -681,7 +700,7 @@ asmlinkage long sys_umount(char __user *
   goto dput_and_out;
  
   retval = -EPERM;
 - if (!capable(CAP_SYS_ADMIN))
 + if (!permit_umount(nd.mnt, flags))
   goto dput_and_out;
  
   retval = do_umount(nd.mnt, flags);

 --
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

Re: [patch 2/8] allow unprivileged umount

20 matches

Site Navigation

Mail list logo

Footer information