Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Thu, Oct 01, 2015 at 09:41:37AM -0500, Seth Forshee wrote: > On Thu, Oct 01, 2015 at 09:40:52AM -0400, Mike Snitzer wrote: > > On Thu, Oct 01 2015 at 8:55am -0400, > > Seth Forshee wrote: > > > > > On Wed, Sep 30, 2015 at 07:42:15PM -0400, Mike Snitzer wrote: > >

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Wed, Sep 30, 2015 at 07:42:15PM -0400, Mike Snitzer wrote: > On Wed, Sep 30 2015 at 4:15pm -0400, > Seth Forshee wrote: > > > When mounting a filesystem on a block device there is currently > > no verification that the user has appropriate access to the > > device

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Thu, Oct 01 2015 at 8:55am -0400, Seth Forshee wrote: > On Wed, Sep 30, 2015 at 07:42:15PM -0400, Mike Snitzer wrote: > > On Wed, Sep 30 2015 at 4:15pm -0400, > > Seth Forshee wrote: > > > > > When mounting a filesystem on a block

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Thu, Oct 01, 2015 at 10:40:08AM -0500, Eric W. Biederman wrote: > Seth Forshee writes: > > > When mounting a filesystem on a block device there is currently > > no verification that the user has appropriate access to the > > device file passed to mount. This has

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

Mike Snitzer writes: > What layer establishes access rights to historically root-only > priviledged block devices? Is it user namespaces? Block devices are weird. Mounts historically have not checked the permissions on the block devices because a mounter has CAP_SYS_ADMIN.

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Thu 01-10-15 10:55:50, Eric W. Biederman wrote: > The goal if possible is to run things like docker without needed to be > root or even more fun to run docker in a container, and in general > enable nested containers. Frankly at the filesystem side we are rather far from being able to safely

[PATCH 1/5] fs: Verify access of user towards block device file when mounting

When mounting a filesystem on a block device there is currently no verification that the user has appropriate access to the device file passed to mount. This has not been an issue so far since the user in question has always been root, but this must be changed before allowing unprivileged users to

Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting

On Wed, Sep 30 2015 at 4:15pm -0400, Seth Forshee wrote: > When mounting a filesystem on a block device there is currently > no verification that the user has appropriate access to the > device file passed to mount. This has not been an issue so far > since the user