> Not necessary.
>
> Why not have the FUSE daemon keep open a file descriptor for the
> directory it's mounted on, and have it sent that to new would-be
> mounters of the same directory using a unix domain socket (rather as
> Pavel suggested)?
How does that help? It doesn't matter _which_ process you try to bind
mount /proc/XXX/fd/N from, the result will be the same.
> No. The check is to prevent processes in chroot jails from accessing
> directories outside their jail. Even CAP_SYS_ADMIN processes must be
> forbidden from doing that.
As someone pointed out, CAP_SYS_ADMIN processes can already escape the
chroot jail with CLONE_NEWNS. (fd=open("."); clone(CLONE_NEWNS);
[child:] fchdir(fd); chdir(".."))
> But proc_check_root is unnecessarily strict, in that it prevents a
> process from traversing into a "child" namespace.
>
> IMHO, a better security restriction anyway would be for processes in
> chroot jails to not be able to see processes outside the jail in /proc
> - only processes inside the jail should be visible. I think everyone
> agrees that would be best.
Dunno. It's a big change possibly breaking existing applications.
Chroot probably has other uses than jailing.
> If that were implemented, then proc_check_root would be redundant and
> could be removed entirely.
Yes.
Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]