Re: [libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be known
-----Original Message-----
From: Daniel P. Berrange [mailto:berrange@redhat.com]
Sent: Monday, November 18, 2013 11:57 PM
To: Chen Hanxiao
Cc: libvir-list(a)redhat.com
Subject: Re: [libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be
known
On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote:
>
> I used to encounter issues: inside container, we could modify files under /mnt
>
> So I think inside user namespace, if we do not have a proper id mapping,
> we should not bind mount it for containers, or at least set it as readonly.
I don't see any security problem in what we're doing already
In the host I ran
# mkdir /tmp/otheruser
# echo foo > /tmp/otheruser/hello.txt
# chown 500:500 /tmp/otheruser/
# chown 500:500 /tmp/otheruser/hello.txt
# chmod o-rwx /tmp/otheruser/hello.txt
And the container config has
<idmap>
<uid start='0' target='1001' count='10'/>
<gid start='0' target='1001' count='10'/>
</idmap>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/tmp/otheruser'/>
<target dir='/mnt'/>
</filesystem>
If I start the container now
# virsh start --console shell
Connected to domain shell
Escape character is ^]
# cd /mnt/
# ls -al
total 8
drwxr-xr-x 2 65534 65534 60 Nov 18 15:51 .
drwxr-xr-x 8 0 0 4096 Nov 18 15:52 ..
-rw-r----- 1 65534 65534 4 Nov 18 15:51 hello.txt
# cat hello.txt
cat: can't open 'hello.txt': Permission denied
Everything appears to be working as designed. The directory is set to
the overflow users, and so my permissions inside the container are
restricted to whatever the 'other' bit in the permission mask allows
for. 'r-x' for the directory lets me see it, but '---' prevents we
reading the file 'hello.txt'.
So I don't see what your patch is trying to fix
Sorry for the late reply.
On one of kernel version of 3.11-rcX, I do encounter an issue that we can MODIFY
kernel's file
without related permission mask inside container.
Gao said that couldn't be happen and I couldn't reproduce that issue on 3.12. (I
lost the original env)
If I could encounter this issue again, I'll let Gao check it with me.
Thanks for your experiment.
Regards,
Daniel
--
|: http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o-
http://virt-manager.org :|
|: http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|