> -----Original Message----- > From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] > Sent: Monday, November 18, 2013 11:57 PM > To: Chen Hanxiao > Cc: libvir-list@xxxxxxxxxx > Subject: Re: [PATCH v2]lxc: don't mount dir if ownership couldn't be > known > > On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote: > > > > I used to encounter issues: inside container, we could modify files under /mnt > > > > So I think inside user namespace, if we do not have a proper id mapping, > > we should not bind mount it for containers, or at least set it as readonly. > > I don't see any security problem in what we're doing already > > In the host I ran > > # mkdir /tmp/otheruser > # echo foo > /tmp/otheruser/hello.txt > # chown 500:500 /tmp/otheruser/ > # chown 500:500 /tmp/otheruser/hello.txt > # chmod o-rwx /tmp/otheruser/hello.txt > > And the container config has > > <idmap> > <uid start='0' target='1001' count='10'/> > <gid start='0' target='1001' count='10'/> > </idmap> > > <filesystem type='mount' accessmode='passthrough'> > <source dir='/tmp/otheruser'/> > <target dir='/mnt'/> > </filesystem> > > > If I start the container now > > # virsh start --console shell > Connected to domain shell > Escape character is ^] > # cd /mnt/ > # ls -al > total 8 > drwxr-xr-x 2 65534 65534 60 Nov 18 15:51 . > drwxr-xr-x 8 0 0 4096 Nov 18 15:52 .. > -rw-r----- 1 65534 65534 4 Nov 18 15:51 hello.txt > # cat hello.txt > cat: can't open 'hello.txt': Permission denied > > Everything appears to be working as designed. The directory is set to > the overflow users, and so my permissions inside the container are > restricted to whatever the 'other' bit in the permission mask allows > for. 'r-x' for the directory lets me see it, but '---' prevents we > reading the file 'hello.txt'. > > So I don't see what your patch is trying to fix Sorry for the late reply. On one of kernel version of 3.11-rcX, I do encounter an issue that we can MODIFY kernel's file without related permission mask inside container. Gao said that couldn't be happen and I couldn't reproduce that issue on 3.12. (I lost the original env) If I could encounter this issue again, I'll let Gao check it with me. Thanks for your experiment. > > Regards, > Daniel > -- > |: http://berrange.com -o- > http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- > http://virt-manager.org :| > |: http://autobuild.org -o- > http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- > http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list