Re: Filesystem Capabilities in 2.6?

Alexander Viro (viro@math.psu.edu)
Sun, 3 Nov 2002 00:09:30 -0500 (EST)


On Sat, 2 Nov 2002, Linus Torvalds wrote:

>
> On Sat, 2 Nov 2002, Alexander Viro wrote:
> >
> > No, that's OK -
> >
> > mount --bind /usr/bin/foo.real /usr/bin/foo.real
> > mount -o remount,nosuid /usr/bin/foo.real
>
> Ehh. With the nosuid mount that will remove the effectiveness of the suid
> bit (not just the user change - it will also mask off the elevation of the
> capabilities), so the bind-mount with the capability mask will now mask
> off nothing to start with.

Nope. Look - ->i_mode is still the same, nothing had changed. Suid
interpretation happens *not* on a superblock level. What happens is
* we look at file->f_dentry->d_inode->i_mode. No suid bit - no love.
* then we look at file->f_vfsmnt->mnt_flags. If that has MNT_NOSUID -
no love, again.
* if suid bit is present and vfsmount is not marked nosuid - there
we go.

In other words, nosuid status is _already_ per-binding - having a nosuid
binding at /usr/bin/foo.real doesn't have anything to do with suid (or
partial suid) bindings elsewhere.

So trick above will remove effectiveness of the suid bit for binding
at the place where real binary lives. If you want that place to retain
some capabilities - s/nosuid/capmask=.../ in the above. It has nothing
to do with other places where you might bind the same file - each binding
has its own vfsmount and thus its own ->mnt_flags...

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/