lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 08 Mar 2016 10:16:31 +0100
From:	Alexander Larsson <alexl@...hat.com>
To:	Andy Lutomirski <luto@...capital.net>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	James Bottomley <James.Bottomley@...senpartnership.com>,
	gnome-os-list@...me.org,
	Linux Containers <containers@...ts.linux-foundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	mclasen@...hat.com, Linux FS Devel <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options

On mån, 2016-03-07 at 20:59 -0800, Andy Lutomirski wrote:
> On Thu, May 28, 2015 at 12:42 PM, Eric W. Biederman
> <ebiederm@...ssion.com> wrote:
> > Andy Lutomirski <luto@...capital.net> writes:
> > 
> Apparently alexl is encountering some annoyances related to the
> current workaround, and the workaround is certainly ugly.

It works, but it introduces an extra namespace that gets exposed to the
world, which is pretty ugly. For instance, entering the namespace
becomes hard. I can setns() into the intermediate user+mount namespace
without problems, but if i try to setns into the final user+mount ns
(it gets its own implicit mount ns) i get EPERM. I'm not sure exactly
why though...

> Your proposal seems like it could break some use cases involving
> fscaps on a mount or mount-like binary.
> 
> What if we change it to use the owner of the userns that owns the
> current mount ns?  For anything that doesn't explicitly use
> namespaces, this will be zero.  For namespace users, it should do the
> right thing.

Any of these is fine with me. One nice thing would if i could somehow
detect whether this was supported or not so that i can fall back on the
old workaround.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl@...hat.com            alexander.larsson@...il.com 
He's an all-American guitar-strumming househusband with no name. She's a 
scantily clad impetuous former first lady who don't take no shit from 
nobody. They fight crime!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ