Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262251AbVEMFro (ORCPT ); Fri, 13 May 2005 01:47:44 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262253AbVEMFro (ORCPT ); Fri, 13 May 2005 01:47:44 -0400 Received: from rev.193.226.232.93.euroweb.hu ([193.226.232.93]:49419 "EHLO dorka.pomaz.szeredi.hu") by vger.kernel.org with ESMTP id S262251AbVEMFrj (ORCPT ); Fri, 13 May 2005 01:47:39 -0400 To: hbryan@us.ibm.com CC: ericvh@gmail.com, hch@infradead.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, smfrench@austin.rr.com In-reply-to: (message from Bryan Henderson on Thu, 12 May 2005 14:08:21 -0700) Subject: Re: [RCF] [PATCH] unprivileged mount/umount References: Message-Id: From: Miklos Szeredi Date: Fri, 13 May 2005 07:47:07 +0200 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2093 Lines: 45 > > So if a user creates a private namespace, it should have the choice of: > > > > 1) Giving up all suid rights (i.e. all mounts are cloned and > > propagated with nosuid) > > > > 2) Not giving up suid for cloned and propagated mounts, but having > > extra limitations (suid/sgid programs cannot access unprivileged > > "synthetic" mounts) > > (2) isn't realistic. There's no such thing as a suid program. Suid is a > characteristic of a _file_. There's no way to know whether a given > executing program is running with privileges that came from a suid file > getting exec'ed. Bear in mind that that exec could be pretty remote -- > done by a now-dead ancestor with three more execs in between. > > Many user space programs contain hacks to try to discern this information, > and they often cause me headaches and I have to fix them. The usual hacks > are euid==uid, euid==suid, and/or euid==0. It would be an order of > magnitude worse for the kernel to contain such a hack. Guess what? It's already there. Look in ptrace_attach() in kernel/ptrace.c You could argue about the usefulness of ptrace. The point is, that suid/sgid programs _can_ be discerned, and ptrace _needs_ to discern them. And for the same reason, user controlled filesystems also need to do this check. See Documentation/filesystems/fuse.txt in -mm and later discussion in this thread for more information. The strange thing is that people argue so vehemently about this on theoretical grounds. But practice shows, that there's in fact no problem with it whatsoever. This check (or something similar), has been in FUSE for more than 3 years, used by thousands of people, and it didn't cause _any_ problems, except various sub-mount related things, which we are trying to solve properly, by making mount unprivileged. Miklos - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/