http://bugzilla.suse.com/show_bug.cgi?id=1089349 http://bugzilla.suse.com/show_bug.cgi?id=1089349#c12 --- Comment #12 from Fabian Vogt <fvogt@suse.com> --- (In reply to Goldwyn Rodrigues from comment #11)
(In reply to Fabian Vogt from comment #10)
Any news here? Patch got submitted, but AFAICT didn't land.
I followed up. However, Miklos says it would be better if we can suppress system.nfs4_acl if it is equal to inode->i_mode. However, nfs4_acl seems to be opaque to the client and is interpreted by knfsd only.
From what I read now, ignoring "system." does pose a security risk.
AFAICT, no. It's the same security risk as copying a file to a different file system. overlayfs can only be as secure as the least common denominator of upper and lower layers. So I argue that by mounting it, the admin made a conscious decision.
A file which is allowed read for a user from a system.posix_acl_access or system.nfs4_acl will become unreadable after a copy_up operation and vice versa.
Let me look further how we can hide system.nfs4_acl
-- You are receiving this mail because: You are on the CC list for the bug.