CINXE.COM

LKML: Christoph Hellwig: Re: [RCF] [PATCH] unprivileged mount/umount

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Christoph Hellwig: Re: [RCF] [PATCH] unprivileged mount/umount</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Christoph Hellwig" href="/groupie.php?aid=7367" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2005"> [2005]</a> 聽 <a class="nb" href="/lkml/2005/5"> [May]</a> 聽 <a class="nb" href="/lkml/2005/5/11"> [11]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2005/5/11/38" onclick="this.href='/lkml/headers'+'/2005/5/11/38';">[headers]</a>聽 <a href="/lkml/bounce/2005/5/11/38">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2005/5/3/64">First message in thread</a></li><li><a href="/lkml/2005/5/3/64">Miklos Szeredi</a><ul><li><a href="/lkml/2005/5/3/141">Bill Davidsen</a></li><li><a href="/lkml/2005/5/4/57">Eric Van Hensbergen</a><ul><li><a href="/lkml/2005/5/4/70">Miklos Szeredi</a><ul><li><a href="/lkml/2005/5/4/73">Eric Van Hensbergen</a><ul><li><a href="/lkml/2005/5/4/78">Miklos Szeredi</a></li></ul></li><li><a href="/lkml/2005/5/11/40">Christoph Hellwig</a><ul><li><a href="/lkml/2005/5/11/61">Miklos Szeredi</a></li></ul></li></ul></li></ul></li><li><a href="/lkml/2005/5/4/66">Martin Waitz</a><ul><li><a href="/lkml/2005/5/4/71">Miklos Szeredi</a></li><li><a href="/lkml/2005/5/11/41">Christoph Hellwig</a></li></ul></li><li class="origin"><a href="/lkml/2005/5/11/60">Christoph Hellwig</a><ul><li><a href="/lkml/2005/5/11/60">Miklos Szeredi</a><ul><li><a href="/lkml/2005/5/16/51">Christoph Hellwig</a></li></ul></li></ul></li></ul></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Wed, 11 May 2005 09:48:18 +0100</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Christoph Hellwig &lt;&gt;</td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">Re: [RCF] [PATCH] unprivileged mount/umount</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">On Tue, May 03, 2005 at 04:31:35PM +0200, Miklos Szeredi wrote:<br />&gt; This (lightly tested) patch against 2.6.12-rc* adds some<br />&gt; infrastructure and basic functionality for unprivileged mount/umount<br />&gt; system calls.<br /><br />Thanks for doing this.<br /><br />&gt; Details:<br />&gt; <br />&gt; - new mnt_owner field in struct vfsmount<br />&gt; - if mnt_owner is NULL, it's a privileged mount<br />&gt; - global limit on unprivileged mounts in /proc/sys/fs/mount-max<br /><br />I think the name should be different. user-mount-max?<br /><br />Acutally the accounting in your patch is a little odd, we account for<br />all mounts, and after mount-max is reached user mounts are denied.<br />Shouldn't we account only for user mounts?<br /><br />&gt; - per user limit of mounts in rlimit<br />&gt; - allow umount for the owner (except force flag)<br />&gt; - allow unprivileged bind mount to files/directories writable by owner<br />&gt; - add nosuid,nodev flags to unprivileged mounts<br />&gt; <br />&gt; Next step would be to add some policy for new mounts. I'm thinking of<br />&gt; either something static: e.g. FS_SAFE flag for "safe" filesystems, or<br />&gt; a more configurable approach through sysfs or something.<br />&gt; <br />&gt; Comments?<br /><br />&gt; --- a6d962c4f559f3644678574a66310084fd13d130/fs/namespace.c (mode:100644 sha1:3b93e5d750ebf8452ea1264251c5b55cc89f48f8)<br />&gt; +++ uncommitted/fs/namespace.c (mode:100644)<br />&gt; &#64;&#64; -42,7 +42,7 &#64;&#64;<br />&gt; static struct list_head *mount_hashtable;<br />&gt; static int hash_mask, hash_bits;<br />&gt; static kmem_cache_t *mnt_cache; <br />&gt; -<br />&gt; +struct mounts_stat_struct mounts_stat;<br />&gt; static inline unsigned long hash(struct vfsmount *mnt, struct dentry *dentry)<br /><br />minor nipick - please keep a empty line before the function here.<br />Also I wonder whether we should have struct mounts_stat_struct at all,<br />just having two variables seems a lot saner to me.<br /><br />&gt; - if (!capable(CAP_SYS_ADMIN))<br />&gt; + if (!capable(CAP_SYS_ADMIN) &amp;&amp; (nd.mnt-&gt;mnt_owner != current-&gt;user ||<br />&gt; + (flags &amp; MNT_FORCE)))<br />&gt; goto dput_and_out;<br /><br />although it won't have different results I'd reorder this to make reading<br />more easy:<br /><br /> if ((nd.mnt-&gt;mnt_owner != current-&gt;user || (flags &amp; MNT_FORCE)) &amp;&amp;<br /> !capable(CAP_SYS_ADMIN))<br /><br />&gt; -static int mount_is_safe(struct nameidata *nd)<br />&gt; +static struct user_struct *mount_is_safe(struct nameidata *nd)<br />&gt; {<br />&gt; if (capable(CAP_SYS_ADMIN))<br />&gt; - return 0;<br />&gt; - return -EPERM;<br />&gt; -#ifdef notyet<br />&gt; - if (S_ISLNK(nd-&gt;dentry-&gt;d_inode-&gt;i_mode))<br />&gt; - return -EPERM;<br />&gt; + return NULL;<br />&gt; +<br />&gt; + if (!S_ISDIR(nd-&gt;dentry-&gt;d_inode-&gt;i_mode) &amp;&amp;<br />&gt; + !S_ISREG(nd-&gt;dentry-&gt;d_inode-&gt;i_mode))<br />&gt; + return ERR_PTR(-EPERM);<br />&gt; if (nd-&gt;dentry-&gt;d_inode-&gt;i_mode &amp; S_ISVTX) {<br />&gt; - if (current-&gt;uid != nd-&gt;dentry-&gt;d_inode-&gt;i_uid)<br />&gt; - return -EPERM;<br />&gt; + if (current-&gt;fsuid != nd-&gt;dentry-&gt;d_inode-&gt;i_uid)<br />&gt; + return ERR_PTR(-EPERM);<br />&gt; }<br />&gt; if (permission(nd-&gt;dentry-&gt;d_inode, MAY_WRITE, nd))<br />&gt; - return -EPERM;<br />&gt; - return 0;<br />&gt; -#endif<br />&gt; + return ERR_PTR(-EPERM);<br />&gt; + return current-&gt;user;<br /><br />Currently we do allow bind mounts over every type of file for the super<br />user. I think we should keep allowing that. Also I think this function<br />wants a really big comment explaining all the rules for user mounts.<br /><br />-<br />To unsubscribe from this list: send the line "unsubscribe linux-kernel" in<br />the body of a message to majordomo&#64;vger.kernel.org<br />More majordomo info at <a href="http://vger.kernel.org/majordomo-info.html">http://vger.kernel.org/majordomo-info.html</a><br />Please read the FAQ at <a href="http://www.tux.org/lkml/">http://www.tux.org/lkml/</a><br /><br /></pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2005-05-11 10:52 聽聽 [from the cache]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10