Re: [PATCH] Revert "vfs: Allow userns root to call mknod on owned filesystems."

[Eric W. Biederman]

ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes:

> Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>
> Your description is usesless.
>
> It needs to detail exactly what breaks, what regressions and why.
> All I see below is hand waving.
>
> We need to know why this does not work so someone does not come in and try
> this again.  Or so that someone can fix this and then try again.
>
> You do not include that kind of information in your commit log.
>
> Calling mknod to create device nodes can not be widespread.  There are
> not that many privileged processes and calling mknod outside of being
> a specialed process like udev is broken.
>
> Therefore I refute your assertion that this is a widespread issue.
>
>
> I expect somewhere there is a reasonable argument for reverting this
> change on the basis that it causes a regression. You have not made it.
>
> Until that time I am going to oppose this revert because your
> justfication for the revert is lacking.
>
>
> It has never been the case that mknod on a device node will guarantee
> that you even can open the device node.  The applications that regress
> are broken.  It doesn't mean we shouldn't be bug compatible, but we darn
> well should document very clearly the bugs we are being bug compatible
> with.
>

Further from what I have seen of this issue, there is a compelling case
that what the applications that are broken what what is enabled by
allowing mknod to succeed.  So we absolutely need a good description of
what is going on, because at best a revert to fix today's breaking is
temporary until userspace gets their bugs fixed.

Eric