On Tue, 2009-05-12 at 17:04 -0700, Eric W. Biederman wrote: > Trond Myklebust <trond.myklebust@xxxxxxxxxx> writes: > > > Finally, what happens if someone decides to set up a private socket > > namespace, using CLONE_NEWNET, without also using CLONE_NEWNS to create > > a private mount namespace? Would anyone have even the remotest chance in > > hell of figuring out what filesystem is mounted where in the ensuing > > chaos? > > Good question. Multiple NFS servers with the same ip address reachable > from the same machine sounds about as nasty pickle as it gets. > > The only way I can even imagine a setup like that is someone connecting > to a vpn. So they are behind more than one NAT gateway. > > Bleh NAT sucks. It is doable, though, and it will affect more than just NFS. Pretty much all networked filesystems are affected. It begs the question: is there ever any possible justification for allowing CLONE_NEWNET without implying CLONE_NEWNS? Trond -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
