[libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be known
Daniel P. Berrange
berrange at redhat.com
Mon Nov 18 15:56:48 UTC 2013
On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote:
>
>
> > -----Original Message-----
> > From: Daniel P. Berrange [mailto:berrange at redhat.com]
> > Sent: Wednesday, November 13, 2013 6:35 PM
> > To: Chen Hanxiao
> > Cc: libvir-list at redhat.com
> > Subject: Re: [libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be
> > known
> >
> > On Wed, Nov 13, 2013 at 04:51:43PM +0800, Chen Hanxiao wrote:
> > > From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> > >
> > > If we enable userns, we could bind mount
> > > some dirs from host to guest, which don't belong to
> > > the target mapped uid/gid.
> > >
> > > Such as we could bind mount root's dirs to guest.
> > > What is worse, we could even modify root's files
> > > in that bind dir inside container.
> >
> > I still can't see what the problem is from the description
> > here. Please can you give a clear example of the config
> > used and exactly what goes wrong.
> >
>
> 1. enable user namespace
> <idmap>
> <uid start='0' target='1001' count='10'/>
> <gid start='0' target='1001' count='10'/>
> </idmap>
>
> 2. bind mount some dirs to container, which belongs to root or other users.
> <filesystem type='mount' accessmode='passthrough'>
> <source dir='/media/LXC1'/>
> <target dir='/mnt'/>
> </filesystem>
>
> # ll /media/
> ...
> drwxr-xr-x. 3 root root 4096 Nov 13 17:21 LXC1
> ...
>
> 3. start container
>
> I used to encounter issues: inside container, we could modify files under /mnt
>
> So I think inside user namespace, if we do not have a proper id mapping,
> we should not bind mount it for containers, or at least set it as readonly.
I don't see any security problem in what we're doing already
In the host I ran
# mkdir /tmp/otheruser
# echo foo > /tmp/otheruser/hello.txt
# chown 500:500 /tmp/otheruser/
# chown 500:500 /tmp/otheruser/hello.txt
# chmod o-rwx /tmp/otheruser/hello.txt
And the container config has
<idmap>
<uid start='0' target='1001' count='10'/>
<gid start='0' target='1001' count='10'/>
</idmap>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/tmp/otheruser'/>
<target dir='/mnt'/>
</filesystem>
If I start the container now
# virsh start --console shell
Connected to domain shell
Escape character is ^]
# cd /mnt/
# ls -al
total 8
drwxr-xr-x 2 65534 65534 60 Nov 18 15:51 .
drwxr-xr-x 8 0 0 4096 Nov 18 15:52 ..
-rw-r----- 1 65534 65534 4 Nov 18 15:51 hello.txt
# cat hello.txt
cat: can't open 'hello.txt': Permission denied
Everything appears to be working as designed. The directory is set to
the overflow users, and so my permissions inside the container are
restricted to whatever the 'other' bit in the permission mask allows
for. 'r-x' for the directory lets me see it, but '---' prevents we
reading the file 'hello.txt'.
So I don't see what your patch is trying to fix
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list