| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060714164640.GC25303@sergelap.austin.ibm.com> Date: Fri, 14 Jul 2006 11:46:40 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: "Serge E. Hallyn" <serue@...ibm.com>, Cedric Le Goater <clg@...ibm.com>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...l.org>, Kirill Korotaev <dev@...nvz.org>, Andrey Savochkin <saw@...ru>, Herbert Poetzl <herbert@...hfloor.at>, Sam Vilain <sam.vilain@...alyst.net.nz>, Dave Hansen <haveblue@...ibm.com> Subject: Re: [PATCH -mm 5/7] add user namespace Quoting Eric W. Biederman (ebiederm@...ssion.com): > "Serge E. Hallyn" <serue@...ibm.com> writes: > >> No. The uids in a filesystem are interpreted in some user namespace > >> context. We can discover that context at the first mount of the > >> filesystem. Assuming the uids on a filesystem are the same set > >> of uids your process is using is just wrong. > > > > But, when I insert a usb keychain disk into my laptop, that fs assumes > > the uids on it's fs are the same as uids on my laptop... > > I agree that setting the fs_user_namespace at mount time is fine. > However when we use a mount that a process in another user namespace > we need to not assume the uids are the same. > > Do you see the difference? Aaah - so you don't want to store this on the fs. So this is actually like what I had mentioned many many emails ago? > > much wider community on. I.e. the cifs and nifs folks. I haven't even > > googled to see what they say about it. > > Yes. > > >> Yes. Your patch does lay some interesting foundation work. > >> But we must not merge it upstream until we have a complete patchset > >> that handles all of the user namespace issues. > > > > Don't think Cedric expected this to be merged :) Just to start > > discussion, which it certainly did... > > If we could have [RFC] in front of these proof of concept patches > it would clear up a lot of confusion. Agreed. > > If we're going to talk about keys (which I'd like to) I think we need to > > decide whether we are just using them as an easy wider-than-uid > > identifier, or if we actually need cryptographic keys to prevent > > "identity theft" (heheh). I don't know that we need the latter for > > anything, but of course if we're going to try for a more general > > solution, then we do. > > Actually I was thinking something as mundane as a mapping table. This > uid in this namespace equals that uid in that other namespace. I see. That's also what I was imagining earlier, but it seems crass somehow. I'd almost prefer to just tag a mount with a user namespace implicitly, and only allow the mounter to say 'do' or 'don't' allow this to be read by users in another namespace. Then in the 'don't' case, user joe [1000] can't read files belonging to user jack [1000] in another namespace. It's stricter, but clean. But whether we do mapping tables or simple isolation, I do still like the idea of pursuing the use of the keystore for global uids. thanks, -serge - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists