Re: [RFC] [PATCH] allowing user mounts

From: Bill Rugolsky Jr.
Date: Tue Feb 17 2004 - 17:48:08 EST


On Tue, Feb 17, 2004 at 04:59:25PM -0500, Rik van Riel wrote:
> You'll notice that /bin/mount already is a suid application,
> so you could just add your functionality there, or write your
> own suid mount application.
>
> As an added bonus, you'd be able to have a more flexible
> configuration framework then what would ever be accepted
> into the kernel, without needing to go through the effort
> of getting anything merged into the kernel.

True, but one generally wants to avoid suid tools that are visible
inside of CLONE_NS environment. Ideally, one uses per-vfsmount
ro,nodev,nosuid for mounts within such an environment.

How does mount(8) access its configuration information from within the
namespace? That requires that part of the private namespace be secured,
which is a non-trivial limitation, if one wants to, e.g., grant the
vserver administrator full privileges.

Alternatively, one might run a mount server within the environment.
That's certainly doable with existing infrastructure.

Regards,

Bill Rugolsky

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/