On Mon, Nov 2, 2015 at 10:02 AM, Serge Hallyn <serge.hallyn@xxxxxxxxxx> wrote: > Quoting Dirk Steinmetz (public@xxxxxxxxxxxxxxxxxx): >> >> > We've already dealt with such regressions and iirc agreed that they were >> > worthwhile. >> Would you prefer to not fix the issue at all, then? Or would you prefer to > > No. I think I was saying I think it's worth adding the 'gid must be mapped' > requirement. > > And I was saying that changing the capability needed is not ok. > >> add a new value on /proc/sys/fs/protected_hardlinks -- which would still >> cause the symptoms you describe on distributions using the new value, but >> would be more easy to change for users knowing that this is an issue? >> >> I personally still favor changing the behavior and documentation over a new >> value there, as -- once identified by the user -- the user can easily adapt > > I agree. > > Note the difference - changing the capability required to link the > file can affect (probably rare, but definately) normal, non-user-namespace > setups. Changing the link requirements in a user namespace so that gid > must be mapped only affects a case which we've previously said should not > be supported. I think it would have no effect at all on setups that don't use userns, so at least the exposure to potential ABI issues would be small. > > Linus may still disagree - not changing what userspace can do is pretty > fundamental, but this was purely a missed security fix iiuc. IIRC I just didn't do it because I didn't want to think about it at the time, and it didn't look like a *big* security issue. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
