On Tue, Apr 29, 2014 at 4:06 PM, Theodore Ts'o <tytso@xxxxxxx> wrote: > On Tue, Apr 29, 2014 at 03:45:24PM -0700, Andy Lutomirski wrote: >> >> Wait, what? >> >> Inodes aren't owned by user namespaces; they're owned by users. And any >> user can arrange to have a user namespace in which they pass an >> inode_capable check on any inode that they own. >> >> Presumably there's a reason that CAP_SYS_IMMUTABLE is needed. If this >> gets merged, then it would be better to just drop CAP_SYS_IMMUTABLE >> entirely. >> >> Nacked-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > > Right, but you can't set a mapping in a child namespace unless you > have CAP_SETUID in the parent namespace, right? Nope. You can't set a mapping for someone else's uid, but you can certainly map your own. > Otherwise user > namespaces are completely broken from a security perspective, since > inode_capable() could never do the right thing. I don't know what inode_capable's "right thing" is, but at least one of the existing callers is blatantly wrong. Patches coming shortly. > > Personally, reading how user namespaces work, it makes the hair rise > on the back of my neck. I'm not sure the concept works at all from a > security perspective, but hey, I'm not using user namespaces, and some > fool thought it was worth merging. :-) I like them. I've also found quite a few serious bugs in them. So go figure :) --Andy _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
