lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 14 Jul 2006 11:46:40 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	"Serge E. Hallyn" <serue@...ibm.com>,
	Cedric Le Goater <clg@...ibm.com>,
	linux-kernel@...r.kernel.org, Andrew Morton <akpm@...l.org>,
	Kirill Korotaev <dev@...nvz.org>, Andrey Savochkin <saw@...ru>,
	Herbert Poetzl <herbert@...hfloor.at>,
	Sam Vilain <sam.vilain@...alyst.net.nz>,
	Dave Hansen <haveblue@...ibm.com>
Subject: Re: [PATCH -mm 5/7] add user namespace

Quoting Eric W. Biederman (ebiederm@...ssion.com):
> "Serge E. Hallyn" <serue@...ibm.com> writes:
> >> No.  The uids in a filesystem are interpreted in some user namespace
> >> context.  We can discover that context at the first mount of the
> >> filesystem.  Assuming the uids on a filesystem are the same set
> >> of uids your process is using is just wrong.
> >
> > But, when I insert a usb keychain disk into my laptop, that fs assumes
> > the uids on it's fs are the same as uids on my laptop...
> 
> I agree that setting the fs_user_namespace at mount time is fine.
> However when we use a mount that a process in another user namespace
> we need to not assume the uids are the same.
> 
> Do you see the difference?

Aaah - so you don't want to store this on the fs.  So this is actually
like what I had mentioned many many emails ago?

> > much wider community on.  I.e. the cifs and nifs folks.  I haven't even
> > googled to see what they say about it.
> 
> Yes.
> 
> >> Yes.  Your patch does lay some interesting foundation work.
> >> But we must not merge it upstream until we have a complete patchset
> >> that handles all of the user namespace issues.
> >
> > Don't think Cedric expected this to be merged  :)  Just to start
> > discussion, which it certainly did...
> 
> If we could have [RFC] in front of these proof of concept patches
> it would clear up a lot of confusion.

Agreed.

> > If we're going to talk about keys (which I'd like to) I think we need to
> > decide whether we are just using them as an easy wider-than-uid
> > identifier, or if we actually need cryptographic keys to prevent
> > "identity theft"  (heheh).  I don't know that we need the latter for
> > anything, but of course if we're going to try for a more general
> > solution, then we do.
> 
> Actually I was thinking something as mundane as a mapping table.  This
> uid in this namespace equals that uid in that other namespace.

I see.

That's also what I was imagining earlier, but it seems crass somehow.
I'd almost prefer to just tag a mount with a user namespace implicitly,
and only allow the mounter to say 'do' or 'don't' allow this to be read
by users in another namespace.  Then in the 'don't' case, user joe
[1000] can't read files belonging to user jack [1000] in another
namespace.  It's stricter, but clean.

But whether we do mapping tables or simple isolation, I do still like
the idea of pursuing the use of the keystore for global uids.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists