Re: [PATCH 3/4] fs: allow mknod in user namespaces
From: Serge Hallyn <hidden>
Date: 2013-03-16 00:23:28
Also in:
linux-fsdevel
Possibly related (same subject, not in this thread)
- 2013-03-15 · Re: [PATCH 3/4] fs: allow mknod in user namespaces · Vasily Kulikov <hidden>
- 2013-03-15 · Re: [PATCH 3/4] fs: allow mknod in user namespaces · Serge Hallyn <hidden>
- 2013-03-15 · Re: [PATCH 3/4] fs: allow mknod in user namespaces · Glauber Costa <hidden>
- 2013-03-15 · Re: [PATCH 3/4] fs: allow mknod in user namespaces · Serge Hallyn <hidden>
- 2013-03-15 · [PATCH 3/4] fs: allow mknod in user namespaces · Glauber Costa <hidden>
Quoting Eric W. Biederman (ebiederm@xmission.com):
Glauber Costa [off-list ref] writes:quoted
Since we have strict control on who access the devices, it should be no problem to allow the device to appear.Having cgroups or user namespaces grant privileges makes me uneasy. With these patches it looks like I can do something evil like. 1. Create a devcgroup. 2. Put a process in it. 3. Create a usernamespace. 4. Run a container in that user namespace. 5. As an unprivileged user in that user namespace create another user namespace. 6. Call mknod and have it succeed.
not if the devcgroup forbids it.
Or in short I don't think this handles nested user namespaces at all. With or without Serge's suggested change.
Yeah my change doesn't help, other than to stop the unpriv user from creating the device in an fs he doesn't own...
At a practical level now is not the right time to be granting more permissions to user namespaces. Lately too many silly bugs have been found in what is already there.
I agree. I realize this doesn't help the centos old-udev situation, but otherwise bind mounting device files works fine, so I agree we should wait. Sorry. -serge