Re: [PATCH v3 0/1] Relax restrictions on user.* xattr

From: Bruce Fields
Date: Tue Sep 14 2021 - 09:59:35 EST

Next message: Heikki Krogerus: "Re: [PATCH] software node: balance refcount for managed sw nodes"
Previous message: cy_huang: "[PATCH] regulator: rtq6752: Enclose 'enable' gpio control by enable flag"
In reply to: Casey Schaufler: "Re: [PATCH v3 0/1] Relax restrictions on user.* xattr"
Next in thread: Vivek Goyal: "Re: [PATCH v3 0/1] Relax restrictions on user.* xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> Same is the requirement for regular containers and that's why
> podman (and possibly other container managers), make top level
> storage directory only readable and searchable by root, so that
> unpriveleged entities on host can not access container root filesystem
> data.

Note--if that directory is on NFS, making it readable and searchable
by root is very weak protection, since it's often possible for an
attacker to guess filehandles and access objects without the need for
directory lookups.

--b.

Next message: Heikki Krogerus: "Re: [PATCH] software node: balance refcount for managed sw nodes"
Previous message: cy_huang: "[PATCH] regulator: rtq6752: Enclose 'enable' gpio control by enable flag"
In reply to: Casey Schaufler: "Re: [PATCH v3 0/1] Relax restrictions on user.* xattr"
Next in thread: Vivek Goyal: "Re: [PATCH v3 0/1] Relax restrictions on user.* xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]