Giving users the privilege to perform unrestricted aufs operations
(e.g., using sudo) is a big security risk, as union mounts can be
exploited to arbitrarily restructure the filesystem as part of a
privilege escalation attack.

So I wrote a suid-root user interface called useraufs that allows safe
user-level aufs operations. Prior to that I hardened pyproject's
execution proxy to more securely support setuid root applications.

The basic principle is that users can safely perform aufs operations
on any directory which they own.

By default, useraufs explicitly disallows root from using it, because
to enable useraufs to operate under MAC, we need to give it
integrity threatening capabilities such as CAP_SYS_ADMIN. This is a
capability that root will not usually be given under a reasonable HRA policy. 
The risk is that by allowing useraufs to be run by root, and operate
on root owned directories, useraufs could be used by an attacker that has
compromised root access to completely circumvent the MAC policy and
severely compromise system integrity.

Though root is not allowed to use useraufs by default, useraufs may be
configured to allow root by adding "allow_user root" to the configuration
file. To prevent circumvention of a MAC security policy, it is recommended
to limit the directories useraufs may operate in via the `allow_dir'
configuration directive (see below for further details). 

If allowed to run as root, then useraufs will grant root special privileges,
such as the ability to mount and umount directories not owned by root,
as well the ability to see aufs mounts by all users.

useraufs is a bit easier to use than vanilla aufs options through the
mount commands. For the time being, it does not support the full
breadth of aufs options since I don't see a need for them right now.

Syntax: useraufs <command> [args]
User interface for aufs

Commands:
    mount      Creates a union mount
    remount    Remounts a union mount to perform reconfiguration operations
    show       Show this user's union mounts
    umount     Umount union mount

Security configuration

By default, useraufs allows all users except root to create union mounts
consisting of any directory branches they own on any mount points they own.

However, for additional security useraufs can be limited to specific users
and directories, by creating the /etc/useraufs.conf configuration file.

useraufs.conf supports two directives:

1) allow_user <username>

This directive adds the uid of username to the list of allowed useraufs
users.

If the configuration file does not include any allow_user directives,
useraufs allows all users, except root.

2) allow_dir /path/to/allow

This directives adds the specified path to the list of paths useraufs
allows as either union mount branches or mount points. Any sub paths of
the specified path are also allowed, so for example, allowing /home will
also allow all directories under /home.

If the configuration file does not include any allow_dir directives,
useraufs allows all paths.
