[libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be known
Chen Hanxiao
chenhanxiao at cn.fujitsu.com
Tue Nov 19 02:07:22 UTC 2013
> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: Monday, November 18, 2013 11:57 PM
> To: Chen Hanxiao
> Cc: libvir-list at redhat.com
> Subject: Re: [libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be
> known
>
> On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote:
> >
> > I used to encounter issues: inside container, we could modify files under /mnt
> >
> > So I think inside user namespace, if we do not have a proper id mapping,
> > we should not bind mount it for containers, or at least set it as readonly.
>
> I don't see any security problem in what we're doing already
>
> In the host I ran
>
> # mkdir /tmp/otheruser
> # echo foo > /tmp/otheruser/hello.txt
> # chown 500:500 /tmp/otheruser/
> # chown 500:500 /tmp/otheruser/hello.txt
> # chmod o-rwx /tmp/otheruser/hello.txt
>
> And the container config has
>
> <idmap>
> <uid start='0' target='1001' count='10'/>
> <gid start='0' target='1001' count='10'/>
> </idmap>
>
> <filesystem type='mount' accessmode='passthrough'>
> <source dir='/tmp/otheruser'/>
> <target dir='/mnt'/>
> </filesystem>
>
>
> If I start the container now
>
> # virsh start --console shell
> Connected to domain shell
> Escape character is ^]
> # cd /mnt/
> # ls -al
> total 8
> drwxr-xr-x 2 65534 65534 60 Nov 18 15:51 .
> drwxr-xr-x 8 0 0 4096 Nov 18 15:52 ..
> -rw-r----- 1 65534 65534 4 Nov 18 15:51 hello.txt
> # cat hello.txt
> cat: can't open 'hello.txt': Permission denied
>
> Everything appears to be working as designed. The directory is set to
> the overflow users, and so my permissions inside the container are
> restricted to whatever the 'other' bit in the permission mask allows
> for. 'r-x' for the directory lets me see it, but '---' prevents we
> reading the file 'hello.txt'.
>
> So I don't see what your patch is trying to fix
Sorry for the late reply.
On one of kernel version of 3.11-rcX, I do encounter an issue that we can MODIFY kernel's file
without related permission mask inside container.
Gao said that couldn't be happen and I couldn't reproduce that issue on 3.12. (I lost the original env)
If I could encounter this issue again, I'll let Gao check it with me.
Thanks for your experiment.
>
> Regards,
> Daniel
> --
> |: http://berrange.com -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org -o-
> http://virt-manager.org :|
> |: http://autobuild.org -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org -o-
> http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list