diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2021-08-19 02:13:30 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2021-08-20 23:37:47 +0200 |
| commit | 906ab4945cd31daa0fb13c22f4a1dc02d3061e67 (patch) | |
| tree | 8959654c3e77508efda79e0b185a4fab0b69a81d | |
| parent | ebc82e00ee7954be8b6589925e1534c57ef2ad9c (diff) | |
| download | man-pages-906ab4945cd31daa0fb13c22f4a1dc02d3061e67.tar.gz | |
mount_namespaces.7: Rewrite locked mounts examples to use/etc/shadow
See https://lore.kernel.org/linux-man/20210817140649.7pmz5qcelgjzgxtz@wittgenstein/
Subject: Re: [PATCHi, man-pages] mount_namespaces.7: More clearly explain "locked mounts"
Date: Tue, 17 Aug 2021 16:06:49 +0200
Message-ID: <20210817140649.7pmz5qcelgjzgxtz@wittgenstein>
Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
| -rw-r--r-- | man7/mount_namespaces.7 | 40 |
1 files changed, 23 insertions, 17 deletions
diff --git a/man7/mount_namespaces.7 b/man7/mount_namespaces.7 index 73119f96fb..2571ecb6d5 100644 --- a/man7/mount_namespaces.7 +++ b/man7/mount_namespaces.7 @@ -1079,22 +1079,21 @@ Consider the following example: .RS .in +4n .EX -$ \fBsudo mkdir /mnt/dir\fP -$ \fBsudo sh \-c \(aqecho "aaaaaa" > /mnt/dir/a\(aq\fP -$ \fBsudo mount \-\-bind /some/path /mnt/dir\fP -$ \fBls /mnt/dir\fP # Former contents of directory are invisible +$ \fBsudo sh\fP +# \fBmount \-\-bind /dev/null /etc/shadow\fP +# \fBcat /etc/shadow\fP # Produces no output .EE .in .RE .IP The above steps, performed in a more privileged mount namespace, have created a bind mount that -obscures the contents of the directory -.IR /mnt/dir . +obscures the contents of the shadow password file, +.IR /etc/shadow . For security reasons, it should not be possible to unmount that mount in a less privileged mount namespace, -since that would reveal the contents of the directory -.IR /mnt/dir . +since that would reveal the contents of +.IR /etc/shadow . .IP Suppose we now create a new mount namespace owned by a new user namespace. @@ -1108,12 +1107,12 @@ in the following step: .RS .in +4n .EX -$ \fBsudo unshare \-\-user \-\-map\-root\-user \-\-mount \e\fP +# \fBunshare \-\-user \-\-map\-root\-user \-\-mount \e\fP \fBstrace \-o /tmp/log \e\fP \fBumount /mnt/dir\fP -umount: /mnt/dir: not mounted. -$ \fBgrep \(aq^umount\(aq /tmp/log\fP -umount2("/mnt/dir", 0) = \-1 EINVAL (Invalid argument) +umount: /etc/shadow: not mounted. +# \fBgrep \(aq^umount\(aq /tmp/log\fP +umount2("/etc/shadow", 0) = \-1 EINVAL (Invalid argument) .EE .in .RE @@ -1135,13 +1134,20 @@ less privileged mount namespace: .IP .in +4n .EX -$ \fBls /home\fP # Show directory to be bind mounted at /mnt/dir -lost+found/ cecilia/ -$ \fBsudo unshare \-\-user \-\-map\-root\-user \-\-mount \e\fP - \fBsh \-c \(aqmount \-\-bind /home /mnt/dir; ls /mnt/dir\(aq\fP -lost+found cecilia +# \fBecho \(aqaaaaa\(aq > /tmp/a\fP # File to mount onto /etc/shadow +# \fBunshare \-\-user \-\-map\-root\-user \-\-mount \e\fP + \fBsh \-c \(aqmount \-\-bind /tmp/a /etc/shadow; cat /etc/shadow\(aq\fP +aaaaa +# \fBumount /etc/shadow\fP .EE .in +.IP +The final +.BR umount (8) +command above, which is performed in the initial mount namespace, +makes the original +.I /etc/shadow +file once more visible in that namespace. .IP * Following on from the previous point, note that it is possible to unmount an entire subtree of mounts that |