lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCETrV1EtrzfEhS55ToPD5VTbY9VjmmOA6bv2H9PGGQ-G=WGA@mail.gmail.com>
Date:	Thu, 11 Sep 2014 08:14:36 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	lkml <linux-kernel@...r.kernel.org>,
	"linux-man@...r.kernel.org" <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	richard -rw- weinberger <richard.weinberger@...il.com>,
	"Serge E. Hallyn" <serge@...lyn.com>
Subject: Re: For review: user_namespace(7) man page

On Thu, Sep 11, 2014 at 7:46 AM, Michael Kerrisk (man-pages)
<mtk.manpages@...il.com> wrote:
> Hi Eric,
>
> On 09/09/2014 09:05 AM, Eric W. Biederman wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> writes:
>>
>>> Hi Andy, and Eric,
>>>>>        1. The  writing  process  must  have  the CAP_SETUID (CAP_SETGID)
>>>>>           capability in the user namespace of the process pid.
>>>>
>>>> This checked for the opening process (and I don't actually remember
>>>> whether it's checked for the writing process).
>>>
>>> Eric, can you comment?
>>
>> We have to check for the opening processes and that changes was made
>> after I implemented my interface. Pieces of the code appear to also
>> examine the writing process and verify everything applies to it as well.
>>
>> I goofed when I designed the interface originall and had not realized
>> what a classic design error it can be to not restrict by the opening
>> process.
>
> So, I still need some help here. Should the sentence above just read:
>
>         1. The  *opening*  process  must  have  the CAP_SETUID (CAP_SETGID)
>            capability in the user namespace of the process pid.

I think this is sufficient.

>
> or must something also be said about the writing process? (If so, i'd
> appreciate a completely formed sentence or two that I can just drop into
> the man page..)

There might be a restriction there, too, but I think it could be
removed, and I also think that it's unlikely that anyone will
encounter it.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ