| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Feb 2008 12:13:50 -0500 From: Jeff Moyer <jmoyer@...hat.com> To: Ian Kent <raven@...maw.net> Cc: Andrew Morton <akpm@...ux-foundation.org>, Kernel Mailing List <linux-kernel@...r.kernel.org>, autofs mailing list <autofs@...ux.kernel.org>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, Pavel Emelyanov <xemul@...nvz.org>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: [PATCH 3/4] autofs4 - track uid and gid of last mount requestor Ian Kent <raven@...maw.net> writes: > On Wed, 2008-02-27 at 23:23 -0800, Andrew Morton wrote: >> On Thu, 28 Feb 2008 16:08:20 +0900 Ian Kent <raven@...maw.net> wrote: >> > which includes the process uid and gid, and as part of >> > the lookup we set macros for several mount map substitution variables, >> > derived from the uid and gid of the process requesting the mount and >> > they can be used within autofs maps. >> >> yeah, could be a problem. Hopefully the namespace people can advise. >> Perhaps we need a concept of an exportable-to-userspace namespace-id+uid, >> namespace-id+gid, namespace-id+pid, etc for this sort of thing. It has >> come up before. Recently, but I forget what the context was. > > I'm all ears to any feedback from others on this, please. I think there is some confusion surrounding what the UID and GID are used for in this context. I'll try to explain it as best I can. When the automount daemon parses a map entry, it will do some amount of variable substitution. So, let's say you're running on an i386 box, and you want to mount a library directory from a server. You might have a map entry that looks like this: lib server:/export/$ARCH/lib In this case, the automount daemon will replace $ARCH with i386, and will try the following mount command: mount -t nfs server:/export/i386/lib /automountdir/lib There are cases where it would be helpful to use the requesting process's UID in such a variable substitution. Consider the case of a CIFS share, where the automount daemon runs as user root, but we want to mount the share using the credentials of the requesting user. In this case, the UID and GID can be helpful in formatting the mount options for mounting the share. So, the UID and GID are used only for map substitutions. Now, having said all of that, I'll have to look more closely at why we even need to keep track of it, given that it only needs to be used when performing the lookup, and at that time we have information on the requesting UID and GID. Cheers, Jeff -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists