Re: unprivileged mounts git tree

[Serge E. Hallyn]

Quoting Miklos Szeredi (miklos@xxxxxxxxxx):
> On Wed, 3 Sep 2008, Serge E. Hallyn wrote:
> > Quoting Miklos Szeredi (miklos@xxxxxxxxxx):
> > > On Wed, 3 Sep 2008, Serge E. Hallyn wrote:
> > > > Ooh.
> > > > 
> > > > You predicate the turning of shared mount to a slave mount on
> > > > !capable(CAP_SYS_ADMIN).  But in fact it's the mount by a privileged
> > > > user, turning the mount into a user mount, which you want to convert.
> > > > So my series of steps was:
> > > > 
> > > > 	as root:
> > > > 		(1) mount --bind /mnt /mnt
> > > > 		(2) mount --make-rshared /mnt
> > > > 		(3) /usr/src/mmount-0.3/mmount --bind -o user=hallyn /mnt \
> > > > 			/home/hallyn/etc/mnt
> > > > 	as hallyn:
> > > > 		(4) mount --bind /usr /home/hallyn/etc/mnt/usr
> > > > 
> > > > You are turning mounts from shared->slave at step 4, but in fact we need
> > > > to do it at step 3, where we do have CAP_SYS_ADMIN.
> > > 
> > > Well, that's arguable: I think root should be able to shoot itself in
> > > the foot by doing step 3.
> > 
> > Maybe I'm not thinking right, but long-term is there any reason why we
> > should require privilege in order to do step 3, so long as the user has
> > read access to the source and write access to the destination?
> > 
> > I don't think there is.  Other than this glitch.  That's a powerful
> > reason to fix the glitch.
> 
> Agreed, without privileges it's unacceptable to allow step 3 as is.
> 
> > The other argument is that, frankly, I think most people are still
> > either unaware of, or confused by, mounts propagation.  Letting root
> > shoot himself in the foot is reasonable only to a point.
> 
> Hmm, I think there are infinite ways in which root can mess up mount
> propagation, and this is not even the worst.  I'm not trying to
> belittle this bug: done unprivileged it's unacceptable.  But with
> privileges, I really don't know if we should change the propagation
> semantics for this corner case, they are complicated enough already.
> 
> > > Generally we don't restrict what root can
> > > do.  OTOH I agree that current behavior is ugly in that it provides
> > > different semantics for privileged/non-privileged callers.
> > > 
> > > Perhaps it would be cleaner to simply not allow step 4, instead of
> > > playing tricks with changing the propagation type.
> > 
> > If the user or admin can simply (I haven't tested)
> > 
> > 	mmount --bind --make-rslave -o user=hallyn /mnt \
> > 		/home/hallyn/etc/mnt
> > 
> > then returning -EPERM if --make-rslave was not provided is reasonable
> > IMO.
> 
> Right, that sounds perfect.  the only problem is, bind mount currently
> ignores the propagation flags, for no good reason I can see.
> 
> That's a separate patch though.  I'll look into it.
> 
> Thanks,
> Miklos

Cool, thanks, Miklos :)

Are you going to revert the change forcing CL_SLAVE for
!capable(CAP_SYS_ADMIN)?  I don't think we want that - I think that
*within* a set of user mounts, propagation should be safe, right?

Will you be able to do this soon?  If not, should we just do the part
returning -EPERM when turning a shared mount into a user mount? 
Because I think that would then be ready for testing in -mm, and would
love to see it tested.

Were you going to push a patch to mount to do the user mounts, or
put sample code in Documentation, git log, or under samples/?

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/