| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080228195118.GA16634@sergelap.austin.ibm.com> Date: Thu, 28 Feb 2008 13:51:18 -0600 From: "Serge E. Hallyn" <serue@...ibm.com> To: Jeff Moyer <jmoyer@...hat.com> Cc: Ian Kent <raven@...maw.net>, Andrew Morton <akpm@...ux-foundation.org>, Kernel Mailing List <linux-kernel@...r.kernel.org>, autofs mailing list <autofs@...ux.kernel.org>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, Pavel Emelyanov <xemul@...nvz.org>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: [PATCH 3/4] autofs4 - track uid and gid of last mount requestor Quoting Jeff Moyer (jmoyer@...hat.com): > Ian Kent <raven@...maw.net> writes: > > > On Wed, 2008-02-27 at 23:23 -0800, Andrew Morton wrote: > >> On Thu, 28 Feb 2008 16:08:20 +0900 Ian Kent <raven@...maw.net> wrote: > >> > which includes the process uid and gid, and as part of > >> > the lookup we set macros for several mount map substitution variables, > >> > derived from the uid and gid of the process requesting the mount and > >> > they can be used within autofs maps. > >> > >> yeah, could be a problem. Hopefully the namespace people can advise. > >> Perhaps we need a concept of an exportable-to-userspace namespace-id+uid, > >> namespace-id+gid, namespace-id+pid, etc for this sort of thing. It has > >> come up before. Recently, but I forget what the context was. > > > > I'm all ears to any feedback from others on this, please. > > I think there is some confusion surrounding what the UID and GID are > used for in this context. I'll try to explain it as best I can. > > When the automount daemon parses a map entry, it will do some amount of > variable substitution. So, let's say you're running on an i386 box, and > you want to mount a library directory from a server. You might have a > map entry that looks like this: > > lib server:/export/$ARCH/lib > > In this case, the automount daemon will replace $ARCH with i386, and > will try the following mount command: > > mount -t nfs server:/export/i386/lib /automountdir/lib > > There are cases where it would be helpful to use the requesting > process's UID in such a variable substitution. Consider the case of a > CIFS share, where the automount daemon runs as user root, but we want to > mount the share using the credentials of the requesting user. In this > case, the UID and GID can be helpful in formatting the mount options for > mounting the share. > > So, the UID and GID are used only for map substitutions. Now, having > said all of that, I'll have to look more closely at why we even need to > keep track of it, given that it only needs to be used when performing > the lookup, and at that time we have information on the requesting UID > and GID. Thanks Jeff. If that's the case then user namespaces don't affect this at all. (Still trying to follow the rest of the thread bc i definately feel like I'm missing something. I swear I understood autofs 10+ years ago :) thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists