LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

mount_namespaces.7: Rewrite locked mounts examples to use/etc/shadow 

See https://lore.kernel.org/linux-man/20210817140649.7pmz5qcelgjzgxtz@wittgenstein/
    Subject: Re: [PATCHi, man-pages] mount_namespaces.7: More clearly explain "locked mounts"
    Date: Tue, 17 Aug 2021 16:06:49 +0200
    Message-ID: <20210817140649.7pmz5qcelgjzgxtz@wittgenstein>

Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2021-08-19 02:13:30 +02:00
parent ebc82e00ee
commit 906ab4945c
1 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
man7/mount_namespaces.7
View File

@ -1079,22 +1079,21 @@ Consider the following example:
.RS .RS
.in +4n .in +4n
.EX .EX
$ \fBsudo mkdir /mnt/dir\fP $ \fBsudo sh\fP
$ \fBsudo sh \-c \(aqecho "aaaaaa" > /mnt/dir/a\(aq\fP # \fBmount \-\-bind /dev/null /etc/shadow\fP
$ \fBsudo mount \-\-bind /some/path /mnt/dir\fP # \fBcat /etc/shadow\fP # Produces no output
$ \fBls /mnt/dir\fP # Former contents of directory are invisible
.EE .EE
.in .in
.RE .RE
.IP .IP
The above steps, performed in a more privileged mount namespace, The above steps, performed in a more privileged mount namespace,
have created a bind mount that have created a bind mount that
obscures the contents of the directory obscures the contents of the shadow password file,
.IR /mnt/dir . .IR /etc/shadow .
For security reasons, it should not be possible to unmount For security reasons, it should not be possible to unmount
that mount in a less privileged mount namespace, that mount in a less privileged mount namespace,
since that would reveal the contents of the directory since that would reveal the contents of
.IR /mnt/dir . .IR /etc/shadow .
.IP .IP
Suppose we now create a new mount namespace Suppose we now create a new mount namespace
owned by a new user namespace. owned by a new user namespace.
@ -1108,12 +1107,12 @@ in the following step:
.RS .RS
.in +4n .in +4n
.EX .EX
$ \fBsudo unshare \-\-user \-\-map\-root\-user \-\-mount \e\fP # \fBunshare \-\-user \-\-map\-root\-user \-\-mount \e\fP
\fBstrace \-o /tmp/log \e\fP \fBstrace \-o /tmp/log \e\fP
\fBumount /mnt/dir\fP \fBumount /mnt/dir\fP
umount: /mnt/dir: not mounted. umount: /etc/shadow: not mounted.
$ \fBgrep \(aq^umount\(aq /tmp/log\fP # \fBgrep \(aq^umount\(aq /tmp/log\fP
umount2("/mnt/dir", 0) = \-1 EINVAL (Invalid argument) umount2("/etc/shadow", 0) = \-1 EINVAL (Invalid argument)
.EE .EE
.in .in
.RE .RE
@ -1135,13 +1134,20 @@ less privileged mount namespace:
.IP .IP
.in +4n .in +4n
.EX .EX
$ \fBls /home\fP # Show directory to be bind mounted at /mnt/dir # \fBecho \(aqaaaaa\(aq > /tmp/a\fP # File to mount onto /etc/shadow
lost+found/ cecilia/ # \fBunshare \-\-user \-\-map\-root\-user \-\-mount \e\fP
$ \fBsudo unshare \-\-user \-\-map\-root\-user \-\-mount \e\fP \fBsh \-c \(aqmount \-\-bind /tmp/a /etc/shadow; cat /etc/shadow\(aq\fP
\fBsh \-c \(aqmount \-\-bind /home /mnt/dir; ls /mnt/dir\(aq\fP aaaaa
lost+found cecilia # \fBumount /etc/shadow\fP
.EE .EE
.in .in
.IP
The final
.BR umount (8)
command above, which is performed in the initial mount namespace,
makes the original
.I /etc/shadow
file once more visible in that namespace.
.IP * .IP *
Following on from the previous point, Following on from the previous point,
note that it is possible to unmount an entire subtree of mounts that note that it is possible to unmount an entire subtree of mounts that