Re: [REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on owned filesystems.
From: Eric W. Biederman
Date: Thu May 24 2018 - 12:03:28 EST
Seth Forshee <seth.forshee@xxxxxxxxxxxxx> writes:
> On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote:
>> These filesystems already always set SB_I_NODEV so mknod will not be
>> useful for gaining control of any devices no matter their permissions.
>> This will allow overlayfs and applications to fakeroot to use device
>> nodes to represent things on disk.
>>
>> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>
> For a normal filesystem this does seem safe enough.
>
> However, I'd also like to see us allow unprivileged mounting for
> overlayfs, and there we need to worry about whether this would allow a
> mknod in an underlying filesystem which should not be allowed. That
> mknod will be subject to this same check in the underlying filesystem
> using the credentials of the user that mounted the overaly fs, which
> should be sufficient to ensure that the mknod is permitted.
Sufficient to ensure the mknod is not permitted on the underlying
filesystem. I believe you mean.
> Thus this looks okay to me.
>
> Acked-by: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>
Eric