Message ID | 1449070821-73820-19-git-send-email-seth.forshee@canonical.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Quoting Seth Forshee (seth.forshee@canonical.com): > Unprivileged users are normally restricted from mounting with the > allow_other option by system policy, but this could be bypassed > for a mount done with user namespace root permissions. In such > cases allow_other should not allow users outside the userns > to access the mount as doing so would give the unprivileged user > the ability to manipulate processes it would otherwise be unable > to manipulate. Restrict allow_other to apply to users in the same > userns used at mount or a descendant of that namespace. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > --- > fs/fuse/dir.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c > index f67f4dd86b36..5b8edb1203b8 100644 > --- a/fs/fuse/dir.c > +++ b/fs/fuse/dir.c > @@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc) > { > const struct cred *cred; > > - if (fc->flags & FUSE_ALLOW_OTHER) > - return 1; > + if (fc->flags & FUSE_ALLOW_OTHER) { > + struct user_namespace *ns; > + for (ns = current_user_ns(); ns; ns = ns->parent) { > + if (ns == fc->user_ns) > + return 1; > + } use current_in_userns() ? > + return 0; > + } > > cred = current_cred(); > if (uid_eq(cred->euid, fc->user_id) && > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/
On Fri, Dec 04, 2015 at 02:05:41PM -0600, Serge E. Hallyn wrote: > Quoting Seth Forshee (seth.forshee@canonical.com): > > Unprivileged users are normally restricted from mounting with the > > allow_other option by system policy, but this could be bypassed > > for a mount done with user namespace root permissions. In such > > cases allow_other should not allow users outside the userns > > to access the mount as doing so would give the unprivileged user > > the ability to manipulate processes it would otherwise be unable > > to manipulate. Restrict allow_other to apply to users in the same > > userns used at mount or a descendant of that namespace. > > > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > --- > > fs/fuse/dir.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c > > index f67f4dd86b36..5b8edb1203b8 100644 > > --- a/fs/fuse/dir.c > > +++ b/fs/fuse/dir.c > > @@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc) > > { > > const struct cred *cred; > > > > - if (fc->flags & FUSE_ALLOW_OTHER) > > - return 1; > > + if (fc->flags & FUSE_ALLOW_OTHER) { > > + struct user_namespace *ns; > > + for (ns = current_user_ns(); ns; ns = ns->parent) { > > + if (ns == fc->user_ns) > > + return 1; > > + } > > use current_in_userns() ? Yes, it should. I wrote this before I wrote the patch which adds that function and never thought to go back to change it here.
On Fri, Dec 04, 2015 at 02:43:19PM -0600, Seth Forshee wrote: > On Fri, Dec 04, 2015 at 02:05:41PM -0600, Serge E. Hallyn wrote: > > Quoting Seth Forshee (seth.forshee@canonical.com): > > > Unprivileged users are normally restricted from mounting with the > > > allow_other option by system policy, but this could be bypassed > > > for a mount done with user namespace root permissions. In such > > > cases allow_other should not allow users outside the userns > > > to access the mount as doing so would give the unprivileged user > > > the ability to manipulate processes it would otherwise be unable > > > to manipulate. Restrict allow_other to apply to users in the same > > > userns used at mount or a descendant of that namespace. > > > > > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > > --- > > > fs/fuse/dir.c | 10 ++++++++-- > > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > > > diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c > > > index f67f4dd86b36..5b8edb1203b8 100644 > > > --- a/fs/fuse/dir.c > > > +++ b/fs/fuse/dir.c > > > @@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc) > > > { > > > const struct cred *cred; > > > > > > - if (fc->flags & FUSE_ALLOW_OTHER) > > > - return 1; > > > + if (fc->flags & FUSE_ALLOW_OTHER) { > > > + struct user_namespace *ns; > > > + for (ns = current_user_ns(); ns; ns = ns->parent) { > > > + if (ns == fc->user_ns) > > > + return 1; > > > + } > > > > use current_in_userns() ? > > Yes, it should. I wrote this before I wrote the patch which adds that > function and never thought to go back to change it here. Ok - Acked-by: Serge Hallyn <serge.hallyn@canonical.com> thanks.
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index f67f4dd86b36..5b8edb1203b8 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc) { const struct cred *cred; - if (fc->flags & FUSE_ALLOW_OTHER) - return 1; + if (fc->flags & FUSE_ALLOW_OTHER) { + struct user_namespace *ns; + for (ns = current_user_ns(); ns; ns = ns->parent) { + if (ns == fc->user_ns) + return 1; + } + return 0; + } cred = current_cred(); if (uid_eq(cred->euid, fc->user_id) &&
Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give the unprivileged user the ability to manipulate processes it would otherwise be unable to manipulate. Restrict allow_other to apply to users in the same userns used at mount or a descendant of that namespace. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> --- fs/fuse/dir.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)