Re: Upstream first policy

From: Eric W. Biederman
Date: Mon Mar 08 2010 - 18:02:41 EST


Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes:

> On Mon, 8 Mar 2010, Alan Cox wrote:
>>
>> Quite untrue. I've actually *used* path based security systems (DEC10
>> ACLs) and for almost every case its brain-dead.
>>
>> Imagine a world where this happened
>
> Alan, stop right there.
>
> You're making the same silly and incorrect mistake that Al did.
>
> Namely thinking that you have to have just one or the other.
>
> When you say "your /etc/passwd example is a special case", you are
> admitting that there are two different cases, but then after that, you
> still don't see the whole point I'm trying to make.
>
> Let me try again:
>
> THERE ARE DIFFERENT CASES
>
> That's the point. Just admit that, and then let the calm of "Ooh, there
> are different kinds of circumstances that may want different kinds of
> rules" permeate you.
>
> My whole (and only) argument is against the "only one way is correct"
> mentality.


Reading through all of this it occurred to me there is a case where
path names are fundamentally important shows up for me all of the
time. If pathnames were not fundamentally important we could apply
a patch like the one below and allow unprivileged users to unshare
the mount namespace and mount filesystems wherever. There is nothing
fundamental about those operations that require root privileges except
that you are manipulating the pathnames of objects.

Unfortunately if we did that suid executables would become impossible
because they couldn't trust anything to start with.

Even little things like /lib64/ld-linux-x86-64.so are very special things
that you can't let just anyone change.

Eric


diff --git a/fs/namespace.c b/fs/namespace.c
index d69c06f..85ba785 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1650,10 +1650,6 @@ static int do_new_mount(struct path *path, char *type, int flags,
if (!type)
return -EINVAL;

- /* we need capabilities... */
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
lock_kernel();
mnt = do_kern_mount(type, flags, name, data);
unlock_kernel();
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 1e8cda0..00fd7c5 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -180,9 +180,6 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
CLONE_NEWNET | CLONE_NEWPID)))
return 0;

- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
*new_nsp = create_new_namespaces(unshare_flags, current,
new_fs ? new_fs : current->fs);
if (IS_ERR(*new_nsp)) {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/