| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Nov 2014 16:27:37 +0100 From: Miklos Szeredi <miklos@...redi.hu> To: Seth Forshee <seth.forshee@...onical.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, "Serge H. Hallyn" <serge.hallyn@...ntu.com>, Andy Lutomirski <luto@...capital.net>, Michael j Theall <mtheall@...ibm.com>, fuse-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v5 3/4] fuse: Restrict allow_other to the superblock's namespace or a descendant On Wed, Oct 22, 2014 at 04:24:19PM -0500, Seth Forshee wrote: > Unprivileged users are normally restricted from mounting with the > allow_other option by system policy, but this could be bypassed > for a mount done with user namespace root permissions. In such > cases allow_oth er should not allow users outside the userns > to access the mount as doing so would give the unprivileged user > the ability to manipulate processes it would otherwise be unable > to manipulate. Therefore access with allow_other should be > restricted to users in the userns as the superblock or a > descendant of that namespace. Fine. But aren't this kind of thing supposed to be prevented anyway by having private mount namespace coupled with the pid-user-whatever namespace? It seems like being a bit too careful (not to say that that's a bad thing). Thanks, Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists