On Wed, Apr 11, 2012 at 11:39:09PM +0400, Stanislav Kinsbursky wrote: > 11.04.2012 22:20, J. Bruce Fields написал: > >Suppose you export subtree /export/foo of filesystem /export to a > >client, that client can also easily access anything else in /export; all > >it hsa to do is guess the filehandle of the thing it wants to access (or > >just guess filehandle of /export itself; root filehandles are likely > >especially easily to guess), and then work from there. > > I see. > So, if I undertand you correctly, filesystem to export should be not > only one per server, but also should not consist or any other files, > which are not allowed to export. Yes, exactly, even in the absence of containers, if you're exporting a subdirectory of your root filesystem (for example) then you may be granting access to a lot more than you intended. So we strongly recommend exporting separate filesystems unless you're very sure you know what you're doing.... --b. > Currently, in OpenVZ we have kernel threads per container. Thus even > kernel threads are in "chroot jail". > But I'll check, do we have such vulnerability. > Thank you. > > >(There's a workaround: you can set the subtree_check option. That > >causes a number of problems (renaming a file to a different directory > >changes its filehandle, for example, so anyone trying to use it while it > >gets renamed gets an unexpected ESTALE). So we don't recommend it.) > > > >So if all the containers are sharing the same filesystem, then anyone > >exporting a subdirectory of its own filesystem has essentially granted > >access to everyone's filesystem. > > > >For that reason it's really only recommended to export separate > >filesystems.... > > Thanks. Anyway, we are going to get rid of "chroot jails" and > replace them by separated loop device. > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
