Re: [RFC] FUSE permission modell (Was: fuse review bits)

From: Miklos Szeredi
Date: Wed Apr 20 2005 - 02:11:54 EST

Next message: Yann Dupont: "Re: E1000 - page allocation failure - saga continues :("
Previous message: Dinakar Guniguntala: "Re: [Lse-tech] Re: [RFC PATCH] Dynamic sched domains aka Isolated cpusets"
In reply to: Mike Waychison: "Re: [RFC] FUSE permission modell (Was: fuse review bits)"
Next in thread: Bodo Eggert <harvested.in.lkml@xxxxxxxxxxxxxxxxxxxxxxxxxx>: "Re: [RFC] FUSE permission modell (Was: fuse review bits)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Likely because its a chroot vulnerability.
>
> It allows a process to obtain a reference to the root vfsmount that
> doesn't have chroot checks performed on it.
>
> Consider the following pseudo example:
>
[...]
>
> if main is run within a chroot where it's "/" is on the same vfsmount as
> it's "..", then the application can step out of the chroot using clone(2).
>
> Note: using chdir in a vfsmount outside of your namespace works, however
> you won't be able to walk off that vfsmount (to its parent or children).

How about fixing fchdir, so it checks whether you gone outside the
tree under current->fs->rootmnt? Should be fairly easy to do.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Yann Dupont: "Re: E1000 - page allocation failure - saga continues :("
Previous message: Dinakar Guniguntala: "Re: [Lse-tech] Re: [RFC PATCH] Dynamic sched domains aka Isolated cpusets"
In reply to: Mike Waychison: "Re: [RFC] FUSE permission modell (Was: fuse review bits)"
Next in thread: Bodo Eggert <harvested.in.lkml@xxxxxxxxxxxxxxxxxxxxxxxxxx>: "Re: [RFC] FUSE permission modell (Was: fuse review bits)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]