On Mon, Feb 29, 2016 at 11:25:46AM -0500, thus spake Vivek Goyal: > I agree that semantics should be more consistent. I don't know that > if upper layer should override lower layer checks or not. > > One could also argue that if root did chown, then changes effectively > happened in upper layer and anything in upper layer should become > visible to unpriviliged user but not the one in lower layer. > > I just don't know. I guess those who have more background on this > could pitch in and clarify that was is supposed to be the design > intention. > > [...] > > Right, but it does not say anything about what happens to DAC checks > at lower layer. IOW, it does not say that if lower directory owner > is different then whether files from that directory will become searchable > or not. I suppose that looking at these questions from the perspective of the primary application of OverlayFS, i.e. embedded systems with lower being some read-only SquashFS and upper being read-write, may give some good intuition on how this should work. If the root user changes access rights to some directories, then it is natural that permissions in upper are less restrictive than permissions in lower and this in no way breaks any security. If you're thinking about what happens if some overlay is mounted where the more permissive directory in upper shadows a less permissive one in lower, then well, the only user able to mount such an overlay, i.e. root, should know what she's doing. Anyway, DAC checks should be consistent from the standpoint of userland, first and foremost. -- Ignacy Gawędzki R&D Engineer Green Communications -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
