On Thu, 4 Sep 2008, Serge E. Hallyn wrote: > Quoting Miklos Szeredi (miklos@xxxxxxxxxx): > > On Thu, 04 Sep 2008, Miklos Szeredi wrote: > > > On Thu, 4 Sep 2008, Serge E. Hallyn wrote: > > > > Are you going to revert the change forcing CL_SLAVE for > > > > !capable(CAP_SYS_ADMIN)? I don't think we want that - I think that > > > > *within* a set of user mounts, propagation should be safe, right? > > > > > > > > Will you be able to do this soon? If not, should we just do the part > > > > returning -EPERM when turning a shared mount into a user mount? > > > > > > OK, let's do that first and the tricky part (propagation vs. user > > > mounts) later. Will push after I've tested it. > > > > Here it is: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git unprivileged-mounts > > but you're still doing > > if (IS_MNT_SHARED(old_nd.path.mnt) && !capable(CAP_SYS_ADMIN)) > goto out; > > shouldn't it be something like > > if (IS_MNT_SHARED(old_nd.path.mnt) && (old_nd.path.mnt & MNT_USER)) > goto out; > > ? Why would that be an error? There's no real security gain to be had from restricting a privileged user, but could cause a lot of annoyance. If we think this is dangerous, then protection should be built into mount(8) with an option to override. But not into the kernel, IMO. Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html