Re: [PATCH v2]lxc: don't mount dir if ownership couldn't be known

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote:
> 
> 
> > -----Original Message-----
> > From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx]
> > Sent: Wednesday, November 13, 2013 6:35 PM
> > To: Chen Hanxiao
> > Cc: libvir-list@xxxxxxxxxx
> > Subject: Re:  [PATCH v2]lxc: don't mount dir if ownership couldn't be
> > known
> > 
> > On Wed, Nov 13, 2013 at 04:51:43PM +0800, Chen Hanxiao wrote:
> > > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> > >
> > > If we enable userns, we could bind mount
> > > some dirs from host to guest, which don't belong to
> > > the target mapped uid/gid.
> > >
> > > Such as we could bind mount root's dirs to guest.
> > > What is worse, we could even modify root's files
> > > in that bind dir inside container.
> > 
> > I still can't see what the problem is from the description
> > here. Please can you give a clear example of the config
> > used and exactly what goes wrong.
> > 
> 
> 1. enable user namespace
>   <idmap>
>     <uid start='0' target='1001' count='10'/>
>     <gid start='0' target='1001' count='10'/>
>   </idmap>
> 
> 2. bind mount some dirs to container, which belongs to root or other users.
>     <filesystem type='mount' accessmode='passthrough'>
>       <source dir='/media/LXC1'/>
>       <target dir='/mnt'/>
>     </filesystem>
> 
> # ll /media/
> ...
> drwxr-xr-x.  3 root root    4096 Nov 13 17:21 LXC1
> ...
> 
> 3. start container
> 
> I used to encounter issues: inside container, we could modify files under /mnt
> 
> So I think inside user namespace, if we do not have a proper id mapping,
> we should not bind mount it for containers, or at least set it as readonly.

I don't see any security problem in what we're doing already

In the host I ran

 # mkdir /tmp/otheruser
 # echo foo > /tmp/otheruser/hello.txt
 # chown 500:500 /tmp/otheruser/
 # chown 500:500 /tmp/otheruser/hello.txt 
 # chmod o-rwx /tmp/otheruser/hello.txt 

And the container config has

  <idmap>
    <uid start='0' target='1001' count='10'/>
    <gid start='0' target='1001' count='10'/>
  </idmap>

    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/tmp/otheruser'/>
      <target dir='/mnt'/>
    </filesystem>


If I start the container now

  # virsh start --console shell
  Connected to domain shell
  Escape character is ^]
  # cd /mnt/
  # ls -al
  total 8
  drwxr-xr-x    2 65534    65534           60 Nov 18 15:51 .
  drwxr-xr-x    8 0        0             4096 Nov 18 15:52 ..
  -rw-r-----    1 65534    65534            4 Nov 18 15:51 hello.txt
  # cat hello.txt 
  cat: can't open 'hello.txt': Permission denied

Everything appears to be working as designed. The directory is set to
the overflow users, and so my permissions inside the container are
restricted to whatever the 'other' bit in the permission mask allows
for. 'r-x' for the directory lets me see it, but '---' prevents we
reading the file 'hello.txt'.

So I don't see what your patch is trying to fix

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]