On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote: > > > > -----Original Message----- > > From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] > > Sent: Wednesday, November 13, 2013 6:35 PM > > To: Chen Hanxiao > > Cc: libvir-list@xxxxxxxxxx > > Subject: Re: [PATCH v2]lxc: don't mount dir if ownership couldn't be > > known > > > > On Wed, Nov 13, 2013 at 04:51:43PM +0800, Chen Hanxiao wrote: > > > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > > > > > If we enable userns, we could bind mount > > > some dirs from host to guest, which don't belong to > > > the target mapped uid/gid. > > > > > > Such as we could bind mount root's dirs to guest. > > > What is worse, we could even modify root's files > > > in that bind dir inside container. > > > > I still can't see what the problem is from the description > > here. Please can you give a clear example of the config > > used and exactly what goes wrong. > > > > 1. enable user namespace > <idmap> > <uid start='0' target='1001' count='10'/> > <gid start='0' target='1001' count='10'/> > </idmap> > > 2. bind mount some dirs to container, which belongs to root or other users. > <filesystem type='mount' accessmode='passthrough'> > <source dir='/media/LXC1'/> > <target dir='/mnt'/> > </filesystem> > > # ll /media/ > ... > drwxr-xr-x. 3 root root 4096 Nov 13 17:21 LXC1 > ... > > 3. start container > > I used to encounter issues: inside container, we could modify files under /mnt > > So I think inside user namespace, if we do not have a proper id mapping, > we should not bind mount it for containers, or at least set it as readonly. I don't see any security problem in what we're doing already In the host I ran # mkdir /tmp/otheruser # echo foo > /tmp/otheruser/hello.txt # chown 500:500 /tmp/otheruser/ # chown 500:500 /tmp/otheruser/hello.txt # chmod o-rwx /tmp/otheruser/hello.txt And the container config has <idmap> <uid start='0' target='1001' count='10'/> <gid start='0' target='1001' count='10'/> </idmap> <filesystem type='mount' accessmode='passthrough'> <source dir='/tmp/otheruser'/> <target dir='/mnt'/> </filesystem> If I start the container now # virsh start --console shell Connected to domain shell Escape character is ^] # cd /mnt/ # ls -al total 8 drwxr-xr-x 2 65534 65534 60 Nov 18 15:51 . drwxr-xr-x 8 0 0 4096 Nov 18 15:52 .. -rw-r----- 1 65534 65534 4 Nov 18 15:51 hello.txt # cat hello.txt cat: can't open 'hello.txt': Permission denied Everything appears to be working as designed. The directory is set to the overflow users, and so my permissions inside the container are restricted to whatever the 'other' bit in the permission mask allows for. 'r-x' for the directory lets me see it, but '---' prevents we reading the file 'hello.txt'. So I don't see what your patch is trying to fix Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list