Eric W. Biederman wrote:
>> I think user namespace should be unshared with filesystem. if not, the
>> user/admin should know what is doing.
>
> No. The uids in a filesystem are interpreted in some user namespace
> context. We can discover that context at the first mount of the
> filesystem.
ok. so once you're in such a user namespace, you can't unshare from it
without loosing access to all your files ?
> Assuming the uids on a filesystem are the same set of uids your process
> is using is just wrong.
well, this is what is currently done without user namespaces.
>>> I believe some of the key infrastructure which is roughly kerberos
>>> authentication tokens could be used for this purpose.
>> please elaborate ? i'm not sure to understand why you want to use the keys
>> to map users.
>
> keys are essentially security credentials for something besides the
> local kernel. Think kerberos tickets. That makes the keys the
> obvious place to say what uid you are in a different user namespace
> and similar things.
what about performance ? wouldn't that slow the checking ?
thanks,
C.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]