On Mon, Jan 10, 2022 at 4:15 AM Giuseppe Scrivano <[email protected]> wrote:
> > > @Giuseppe Scrivano what do you think? > > please keep in mind that unprivileged overlay mounts cannot use > metacopy. You still need root access on the host (CAP_SYS_ADMIN in > the initial user namespace) in order to use metacopy=on. > > While it is safe to pull random images from the network and expect they > cannot exploit the system to gain access to files outside the image > itself, there is no guarantee when you are using a handcrafted storage > repository as you seem to imply with the pen drive example. > There are so many things that can be abused that metacopy=on is the last > I'd worry about :-) For such cases, I suggest to use rootless, and rely > on the kernel to limit what the unpriviled user can do. The quote comes directly from the kernel documentation. So with that rationale, maybe the option 'metacopy=on' should be set upstream at https://github.com/containers/storage/blob/375f77c66685b14fc580daad2dc6df607fb86dee/storage.conf#L95 ? That way, Debian would pick up the change on the next upstream update. Best, -rt
