lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <x494pbtxaup.fsf@segfault.boston.devel.redhat.com>
Date:	Thu, 28 Feb 2008 12:13:50 -0500
From:	Jeff Moyer <jmoyer@...hat.com>
To:	Ian Kent <raven@...maw.net>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Kernel Mailing List <linux-kernel@...r.kernel.org>,
	autofs mailing list <autofs@...ux.kernel.org>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	Pavel Emelyanov <xemul@...nvz.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [PATCH 3/4] autofs4 - track uid and gid of last mount requestor

Ian Kent <raven@...maw.net> writes:

> On Wed, 2008-02-27 at 23:23 -0800, Andrew Morton wrote:
>> On Thu, 28 Feb 2008 16:08:20 +0900 Ian Kent <raven@...maw.net> wrote:
>> > which includes the process uid and gid, and as part of
>> > the lookup we set macros for several mount map substitution variables,
>> > derived from the uid and gid of the process requesting the mount and
>> > they can be used within autofs maps.
>> 
>> yeah, could be a problem.  Hopefully the namespace people can advise. 
>> Perhaps we need a concept of an exportable-to-userspace namespace-id+uid,
>> namespace-id+gid, namespace-id+pid, etc for this sort of thing.  It has
>> come up before.  Recently, but I forget what the context was.
>
> I'm all ears to any feedback from others on this, please.

I think there is some confusion surrounding what the UID and GID are
used for in this context.  I'll try to explain it as best I can.

When the automount daemon parses a map entry, it will do some amount of
variable substitution.  So, let's say you're running on an i386 box, and
you want to mount a library directory from a server.  You might have a
map entry that looks like this:

lib	server:/export/$ARCH/lib

In this case, the automount daemon will replace $ARCH with i386, and
will try the following mount command:

mount -t nfs server:/export/i386/lib /automountdir/lib

There are cases where it would be helpful to use the requesting
process's UID in such a variable substitution.  Consider the case of a
CIFS share, where the automount daemon runs as user root, but we want to
mount the share using the credentials of the requesting user.  In this
case, the UID and GID can be helpful in formatting the mount options for
mounting the share.

So, the UID and GID are used only for map substitutions.  Now, having
said all of that, I'll have to look more closely at why we even need to
keep track of it, given that it only needs to be used when performing
the lookup, and at that time we have information on the requesting UID
and GID.

Cheers,

Jeff
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ