Comment 18 for bug 1531747
Revision history for this message
| Seth Forshee (sforshee) wrote Re: [Bug 1531747] Re: overlay: mkdir fails if directory exists in lowerdir in a user namespace | #18 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
On Thu, Jan 14, 2016 at 12:17:06AM -0000, Serge Hallyn wrote:
> Does it require the workdir to be empty?
Not empty. It wants to remove workdir/work if it exists and then create
workdir/work, see ovl_workdir_create. Removing workdir/work is done as
the user which is mounting, so nothing can be removed that the user
couldn't already remove. ovl_workdir_create is ultimately just using
vfs_rmdir if the directory exists, which is going to fail if
workdir/work isn't empty.
> I.e. is there a way (symlink, bind mount, something else) that a user
> could use a dir they own which has a child which they don't own?
I don't think so, since
1. lowerdir is not written to.
2. We've established that what's done with workdir won't make this
possible.
3. When the vfs checks inode permissions for writing ovl_permission is
called, which checks the permissions for the inode in upperdir for
any write operation.
I've checked most of the places where overlay fs raises its credentials,
and I haven't found anything where it's doing anything with elevated
creds that isn't in line with the permission checks that would have
already been done. I'm still looking at ovl_rename2 though, which is
doing a lot more stuff with elevated creds than anywhere else.
Something I'm still not sure about is what would happen if you made a
symlink, bind mount, etc. in upperdir with the same name as an unrelated
file in lowerdir. This is worth checking out.
> It looks like no, since
>
> root@w1:/tmp# mount -t overlay -o lowerdir=
> root@w1:/tmp# ls /mnt
> cisco
> root@w1:/tmp# rmdir /mnt/cisco
> rmdir: failed to remove ‘/mnt/cisco’: Read-only file system
> root@w1:/tmp# mv /mnt/cisco /mnt/c2
> mv: cannot move ‘/mnt/cisco’ to ‘/mnt/c2’: Read-only file system
>
> (here w1 is a unpriv container with /hostopt a bind mount of /opt on the
> host; cisco a directory both in host's /opt and in /tmp/lowerdir)
I think I'm missing something here. I don't know why your mount is
read-only. But even if it wasn't, cisco is in lowerdir and thus should
never be modified or removed in any case. Removing it in /mnt should (I
think, still learning here) result in making a file in upperdir with the
whiteout xattr set.