Re: [PATCH v5 2/4] fuse: Support fuse filesystems outside of init_user_ns

From: Miklos Szeredi
Date: Wed Nov 19 2014 - 05:38:21 EST


On Wed, Nov 19, 2014 at 9:50 AM, Miklos Szeredi <miklos@xxxxxxxxxx> wrote:
> On Tue, Nov 18, 2014 at 4:21 PM, Seth Forshee
> <seth.forshee@xxxxxxxxxxxxx> wrote:
>>> I asked around a bit, and it turns out there are use cases for nested
>> containers (i.e. a container within a container) where the rootfs for
>> the outer container mounts a filesystem containing the rootfs for the
>> inner container. If that mount is nosuid then suid utilities like ping
>> aren't going to work in the inner container.
>>
>> So since there's a use case for suid in a userns mount and we have what
>> we belive are sufficient protections against using this as a vector to
>> get privileges outside the container, I'm planning to move ahead without
>> the MNT_NOSUID restriction. Any objections?
>
> In the general case how'd we prevent suid executable being tricked to
> do something it shouldn't do by unprivileged mounting into sensitive
> places (i.e. config files) inside the container?
>
> Allowing SUID looks like a slippery slope to me. And there are plenty
> of solutions to the "ping" problem, AFAICS, that don't involve the
> suid bit.

ping isn't even suid on my system, it has security.capability xattr instead.

Please just get rid of SUID/SGID. It's a legacy, it's a hack, not
worth the complexity and potential problems arising from that
complexity.

Thanks,
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/