Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261295AbVDTEAn (ORCPT ); Wed, 20 Apr 2005 00:00:43 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261321AbVDTEAn (ORCPT ); Wed, 20 Apr 2005 00:00:43 -0400 Received: from ip22-176.tor.istop.com ([66.11.176.22]:27275 "EHLO lapdance.christiehouse.net") by vger.kernel.org with ESMTP id S261295AbVDTEAd (ORCPT ); Wed, 20 Apr 2005 00:00:33 -0400 Message-ID: <4265D39D.2010301@waychison.com> Date: Tue, 19 Apr 2005 23:59:25 -0400 From: Mike Waychison User-Agent: Debian Thunderbird 1.0.2 (X11/20050331) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Eric Van Hensbergen CC: Miklos Szeredi , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, hch@infradead.org, akpm@osdl.org, viro@parcelfarce.linux.theplanet.co.uk Subject: Re: [RFC] FUSE permission modell (Was: fuse review bits) References: <3Ki1W-2pt-1@gated-at.bofh.it> <3S8oN-So-25@gated-at.bofh.it> <3S8oN-So-27@gated-at.bofh.it> <3S8oM-So-7@gated-at.bofh.it> <3UmnD-6Fy-7@gated-at.bofh.it> In-Reply-To: X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1390 Lines: 40 Eric Van Hensbergen wrote: > Somewhat related question for Viro/the group: > > Why is CLONE_NEWNS considered a priveledged operation? Would placing > limits on the number of private namespaces a user can own solve any > resource concerns or is there something more nefarious I'm missing? > - > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Likely because its a chroot vulnerability. It allows a process to obtain a reference to the root vfsmount that doesn't have chroot checks performed on it. Consider the following pseudo example: main(): chdir("/"); fd = open(".", O_RDONLY); clone(cloned_func, cloned_stack, CLONE_NEWNS, NULL); cloned_func: fchdir(fd); chdir(".."); if main is run within a chroot where it's "/" is on the same vfsmount as it's "..", then the application can step out of the chroot using clone(2). Note: using chdir in a vfsmount outside of your namespace works, however you won't be able to walk off that vfsmount (to its parent or children). Mike Waychison - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/