xfs
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT}

from [Andreas Gruenbacher] [Permanent Link][Original]
To: Dave Chinner <david@xxxxxxxxxxxxx>
Subject: Re: Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT}
From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
Date: Tue, 27 Oct 2015 22:39:51 +0100
Cc: Brian Foster <bfoster@xxxxxxxxxx>, xfs@xxxxxxxxxxx
Delivered-to: xfs@xxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=K3kIgCGEQAEMTn1JOSEjZSA9o6EFAkiX8RoFLQ+/L1s=; b=nlWslxEzSbh+pg1uNmFan7E4OW00Dx03neLUZYd9NHXLb30bnJOgVH+wVL/KxDkYra tWiKsV0cK+7CuAAsyb5j9JphBLWioIfxMOLTr5ScEosiOZBRYPUCEF2pW0zlaG356xAR N3OZJOQP7RR2K5Dfqyy+/XOe5ul/GW1EzBmdfSGFryg3GrMUYbgkrdWxiYPH5WhZE7Hk ufhR0MYdEOJrQMahCz+kIHLGEWU717yrkcjs+qFsVftPu9OU7p/UGV5NlxImq6HhFDDX 78Xn5sNbRcRdXr19QPaU6/WL5HLhwwX2LsZ9RPQdvoWupsV2zvMDT/badvtriM/W/Shu +2GQ==
In-reply-to: <20151027201825.GO8773@dastard>
References: <CAHc6FU5gS4BA+iTRHo1oHJMVHkLs4aa0eYd5T1ftLC9biRaxrg@xxxxxxxxxxxxxx> <20151024125659.GA8095@xxxxxxxxxxxxxxx> <CAHc6FU6eVn=KpKvhD2N8hvAgdFQVdBHHS9tUgaVQJf5wnipY=g@xxxxxxxxxxxxxx> <20151024152254.GA22232@xxxxxxxxxxxxxxx> <20151026213228.GI8773@dastard> <CAHc6FU68MYTGWKM5S14_dQBqXeebd2GwQcKj4RztLvPWL2eksA@xxxxxxxxxxxxxx> <20151027053045.GL8773@dastard> <CAHc6FU4ZgJDKphScucvDfEWPFFu4dGfDVund9Wrah=X-vxnz3w@xxxxxxxxxxxxxx> <20151027201825.GO8773@dastard> 
On Tue, Oct 27, 2015 at 9:18 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
> Further, user namespaces are irrelevant here - you can't run
> xfsdump/restore outside the init_ns.  xfsdump requires access to the
> handle interface, which is unsafe to use inside a user ns because it
> allows complete access to any inode in the filesystem without
> limitations. xfs_restore requires unfettered access to directly
> manipulate the uid/gid/security attrs of inodes, which once again is
> something that isn't allowed inside user namespaces.
>
> Setting Posix acls by directly poking the on-disk attr format rather
> than going through the proper kernel ACL namespace is not a *general
> purpose user interface*.  Thi exists for backup/restore utilities to
> do things like restore ACLs and security labels simply by treating
> them as opaque xattrs.  If a user sets ACLs using this low level
> "opaque xattr" method, then they get to keep all the broken bits to
> themselves.

Any process capable of CAP_SYS_ADMIN can getxattr and setxattr those
xattrs, it doesn't matter whether it's xfsdump/restore or something
else. Some will mess with those attributes simply because listxattr
lists them and so they will get and set them like all other
attributes. Setting those attributes must not leave the system in an
inconsistent state, independent of what xfsdump/restore happens to do
with them.

Thanks,
Andreas
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [PATCH 3/4] xfs: SGI ACLs: Map uid/gid namespaces, Andreas Gruenbacher
Next by Date:  Re: [PATCH 3/4] xfs: SGI ACLs: Map uid/gid namespaces, Dave Chinner
Previous by Thread:  Re: Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT}, Dave Chinner
Next by Thread:  Re: Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT}, Dave Chinner
Indexes:  [Date] [Thread] [Top] [All Lists]