| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Feb 2016 11:32:13 -0500 From: Vivek Goyal <vgoyal@...hat.com> To: Nazarov Sergey <s-nazarov@...dex.ru> Cc: Ignacy Gawędzki <ignacy.gawedzki@...en-communications.fr>, "linux-unionfs@...r.kernel.org" <linux-unionfs@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org> Subject: Re: [PATCH v2 1/1] OverlayFS: Fix checking permissions during lookup. On Sat, Feb 27, 2016 at 01:40:02PM +0300, Nazarov Sergey wrote: > 26.02.2016, 22:41, "Vivek Goyal" <vgoyal@...hat.com>: > > > > So what's the problem we are trying to solve. Why should we able to > > override the DAC checks of lower layer if same directory in upper > > is searchable for user but it is not searchable in lower layer. > > > > If I right, this is a one of the main feature of overlayfs - upper layer has priority over lower ones. > Override AC checks necessary for lookup operation only. Lower layer files access AC checks > remain, so this should not be a security problem. So a directory which is not searchable by user in lower layer suddenly becomes searchable once union is created. In fact there are two cases. If upper layer directory does exist, then it is not searchable. If upper layer direcotry does exist with user having search permissions, then lower layer directory should become searchable? May be, I don't know. Thanks Vivek
Powered by blists - more mailing lists