Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752419AbbKBT5z (ORCPT <rfc822;w@1wt.eu>);
	Mon, 2 Nov 2015 14:57:55 -0500
Received: from mail-ob0-f179.google.com ([209.85.214.179]:36554 "EHLO
	mail-ob0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752334AbbKBT5q (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 2 Nov 2015 14:57:46 -0500
MIME-Version: 1.0
In-Reply-To: <20151102180252.GD1822@ubuntumail>
References: <1444489163-24266-1-git-send-email-public@rsjtdrjgfuzkfg.com>
 <1445350159-5489-1-git-send-email-public@rsjtdrjgfuzkfg.com>
 <20151027143344.GB132460@ubuntu-hedt> <20151027190831.70f71671@rsjtdrjgfuzkfg.com>
 <20151027202802.GA7758@ubuntumail> <20151028160707.1d54d91f@rsjtdrjgfuzkfg.com>
 <20151028173310.GA21823@ubuntumail> <20151102161027.6053bfa0@rsjtdrjgfuzkfg.com>
 <20151102180252.GD1822@ubuntumail>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 2 Nov 2015 11:57:26 -0800
Message-ID: <CALCETrUPyFMAk9uxJ8+hg0YoMN=mTM3q9jAT7zki1g9uuWtVkg@mail.gmail.com>
Subject: Re: [PATCH] namei: permit linking with CAP_FOWNER in userns
To: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>,
        Serge Hallyn <serge.hallyn@canonical.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1847
Lines: 44

On Mon, Nov 2, 2015 at 10:02 AM, Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> Quoting Dirk Steinmetz (public@rsjtdrjgfuzkfg.com):
>>
>> > We've already dealt with such regressions and iirc agreed that they were
>> > worthwhile.
>> Would you prefer to not fix the issue at all, then? Or would you prefer to
>
> No.  I think I was saying I think it's worth adding the 'gid must be mapped'
> requirement.
>
> And I was saying that changing the capability needed is not ok.
>
>> add a new value on /proc/sys/fs/protected_hardlinks -- which would still
>> cause the symptoms you describe on distributions using the new value, but
>> would be more easy to change for users knowing that this is an issue?
>>
>> I personally still favor changing the behavior and documentation over a new
>> value there, as -- once identified by the user -- the user can easily adapt
>
> I agree.
>
> Note the difference - changing the capability required to link the
> file can affect (probably rare, but definately) normal, non-user-namespace
> setups.  Changing the link requirements in a user namespace so that gid
> must be mapped only affects a case which we've previously said should not
> be supported.

I think it would have no effect at all on setups that don't use
userns, so at least the exposure to potential ABI issues would be
small.

>
> Linus may still disagree - not changing what userspace can do is pretty
> fundamental, but this was purely a missed security fix iiuc.

IIRC I just didn't do it because I didn't want to think about it at
the time, and it didn't look like a *big* security issue.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/