| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPL3RVHB=E_s1AW1sQMEgrLYJ8ADCdr=qaKsDrpYjVzW-Apq8w@mail.gmail.com>
Date: Tue, 14 Sep 2021 09:59:19 -0400
From: Bruce Fields <bfields@...hat.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: Casey Schaufler <casey@...aufler-ca.com>,
"Dr. David Alan Gilbert" <dgilbert@...hat.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, virtio-fs@...hat.com,
Daniel Walsh <dwalsh@...hat.com>,
Christian Brauner <christian.brauner@...ntu.com>,
Casey Schaufler <casey.schaufler@...el.com>,
LSM <linux-security-module@...r.kernel.org>,
selinux@...r.kernel.org, "Theodore Ts'o" <tytso@....edu>,
Miklos Szeredi <miklos@...redi.hu>,
Giuseppe Scrivano <gscrivan@...hat.com>,
stephen.smalley.work@...il.com,
Andreas Gruenbacher <agruenba@...hat.com>,
Dave Chinner <david@...morbit.com>
Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal <vgoyal@...hat.com> wrote:
> Same is the requirement for regular containers and that's why
> podman (and possibly other container managers), make top level
> storage directory only readable and searchable by root, so that
> unpriveleged entities on host can not access container root filesystem
> data.
Note--if that directory is on NFS, making it readable and searchable
by root is very weak protection, since it's often possible for an
attacker to guess filehandles and access objects without the need for
directory lookups.
--b.
Powered by blists - more mailing lists