| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87siizla5p.fsf@x220.int.ebiederm.org> Date: Tue, 07 Oct 2014 16:42:10 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Andy Lutomirski <luto@...capital.net> Cc: Serge Hallyn <serge.hallyn@...ntu.com>, Al Viro <viro@...iv.linux.org.uk>, Andrey Vagin <avagin@...nvz.org>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, Linux API <linux-api@...r.kernel.org>, Andrey Vagin <avagin@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Cyrill Gorcunov <gorcunov@...nvz.org>, Pavel Emelyanov <xemul@...allels.com>, Serge Hallyn <serge.hallyn@...onical.com>, Rob Landley <rob@...dley.net> Subject: Re: [PATCH] [RFC] mnt: add ability to clone mntns starting with the current root Andy Lutomirski <luto@...capital.net> writes: > On Tue, Oct 7, 2014 at 3:42 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >> Andy Lutomirski <luto@...capital.net> writes: >> >>> On Tue, Oct 7, 2014 at 2:42 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >>>> >>>> I am squinting and looking this way and that but while I can imagine >>>> someone more clever than I can think up some unique property of rootfs >>>> that makes it a little more exploitable than just mounting a ramfs, >>>> but since you have to be root to exploit those properties I think the >>>> game is pretty much lost. >>> >>> Yes. rootfs might not be empty, it might have totally insane >>> permissions, and it's globally shared, which makes it into a wonderful >>> channel to pass things around that shouldn't be passed around. >> >> But if only root with proc mounted can reach it... I don't know. > > It doesn't have to be global root. It could be userns root. > >> There might be a case for setting MNT_LOCKED when we overmount "/" >> as root but I don't yet see it. >> >>> Can non-root do this? You'd need to be in a userns with a "/" that >>> isn't MNT_LOCKED. Can this happen on any normal setup? >>> >>> FWIW, I think we should unconditionally MNT_LOCKED the root on userns >>> unshare, even if it's the only mount. >> >> To the best of my knowledge MNT_LOCKED is set uncondintially on userns >> unshare. > > Only if list_empty(&old->mnt_expire), whatever that means, I think. An autofs or nfs automounted mount. Can those ever become root? Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists