xfs
[Top] [All Lists]

Re: [PATCH] userns: Convert xfs to use kuid/kgid where appropriate

To: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Subject: Re: [PATCH] userns: Convert xfs to use kuid/kgid where appropriate
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Fri, 21 Jun 2013 09:35:51 +1000
Cc: Brian Foster <bfoster@xxxxxxxxxx>, Dwight Engen <dwight.engen@xxxxxxxxxx>, "Eric W. Biederman" <ebiederm@xxxxxxxxx>, xfs@xxxxxxxxxxx
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <87ip18o0yw.fsf@xxxxxxxxxxxx>
References: <20130619110948.0bfafa2b@xxxxxxxxxx> <20130620001341.GM29338@dastard> <20130620095410.1917d235@xxxxxxxxxx> <51C31F48.9070503@xxxxxxxxxx> <20130620133903.5193d3ee@xxxxxxxxxx> <51C35410.2040109@xxxxxxxxxx> <87ip18o0yw.fsf@xxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)
On Thu, Jun 20, 2013 at 03:45:43PM -0700, Eric W. Biederman wrote:
> I have a question about the project quota.  Is it intended that any
> user can set an project quota on any file?  Unless I am misreading
> xfs_ioctl_setattr that is what it allows.

Only on files they own. There is this check in xfs_ioctl_setattr():

        /*
         * CAP_FOWNER overrides the following restrictions:
         *
         * The user ID of the calling process must be equal
         * to the file owner ID, except in cases where the
         * CAP_FSETID capability is applicable.
         */
        if (current_fsuid() != ip->i_d.di_uid && !capable(CAP_FOWNER)) {
                code = XFS_ERROR(EPERM);
                goto error_return;
        }


> My narrow focus concern on this is that if the user is in a user
> namespace these ids need to be mapped before we look at them or else
> we will do the wrong thing.

The user IDs need to be mapped, yes, but do we want to map project
IDs? Project IDs are the property of the underlying filesystem, not
that of a user namespace. Users can change what project their files
are associated with, but they cannot change their UID or GID....

I can see reasons for wanting the same project quota id to be shared
across multiple namespaces. e.g.  setting up a directory tree quota
for a specific set of namespaces where you don't care about
individual namespace space usage but you want the group as a whole
to be limited.

Indeed, the use of project quotas as an external management tool for
limiting the filesystem space a namespace container can actually
consume makes an interesting argument for preventing access to
project quotas from any namespace other than the init_user_ns.

So, rather than saying "it must be mapped", how about we start by
thinking about how we wnt project quotas to be used in containerised
namespace configurations and work from there....

Cheers,

Dave.
-- 
Dave Chinner
david@xxxxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>