Subject: Re: [RFC][PATCH-2.4] Prevent mounting on ".."
From: Arjan van de Ven <arjanv@redhat.com>
Reply-To: arjanv@redhat.com
To: Willy TARREAU <willy@w.ods.org>
Cc: marcelo@conectiva.com.br, viro@parcelfarce.linux.theplanet.co.uk,
       linux-kernel@vger.kernel.org
In-Reply-To: <20030629130952.GA246@pcw.home.local>
References: <20030629130952.GA246@pcw.home.local>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-LBzucd6A7O2GI3oQwARf"
Organization: Red Hat, Inc.
Message-Id: <1056895780.1720.1.camel@laptop.fenrus.com>
Mime-Version: 1.0
Date: 29 Jun 2003 16:09:40 +0200
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1271
Lines: 37


--=-LBzucd6A7O2GI3oQwARf
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2003-06-29 at 15:09, Willy TARREAU wrote:
> Hi Al and Marcelo,
>=20
> while I was trying to get maximum restrictions on a chroot on 2.4.21-pre,
> I found that it's always possible to mount a ramfs or a tmpfs on "..",
> and then upload whatever I wanted in it. It's a shame because I was
> trying to isolate network daemons inside empty, read-only file-systems,
> and I discovered that this effort was worthless. To resume, imagine a
> network daemon which does :

well...
you need to be root to mount. If you're root you can break out of a
chroot anyway....

--=-LBzucd6A7O2GI3oQwARf
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+/vMkxULwo51rQBIRAnwrAJ4xSSP17Z4ciDbQaXA5ROUTrk+YUwCfSYPj
jU/1rCdKEj6WKCKlNLVTHBM=
=iAJD
-----END PGP SIGNATURE-----

--=-LBzucd6A7O2GI3oQwARf--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/