Re: [PATCH -mm 5/7] add user namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Cedric Le Goater ([email protected]):
> Eric W. Biederman wrote:
> 
> >> I think user namespace should be unshared with filesystem. if not, the
> >> user/admin should know what is doing.
> > 
> > No.  The uids in a filesystem are interpreted in some user namespace
> > context.  We can discover that context at the first mount of the
> > filesystem. 
> 
> ok. so once you're in such a user namespace, you can't unshare from it
> without loosing access to all your files ?
> 
> > Assuming the uids on a filesystem are the same set of uids your process
> > is using is just wrong.
> 
> well, this is what is currently done without user namespaces.
> 
> >>> I believe some of the key infrastructure which is roughly kerberos
> >>> authentication tokens could be used for this purpose.
> >> please elaborate ? i'm not sure to understand why you want to use the keys
> >> to map users.
> > 
> > keys are essentially security credentials for something besides the
> > local kernel.  Think kerberos tickets.  That makes the keys the
> > obvious place to say what uid you are in a different user namespace
> > and similar things.
> 
> what about performance ? wouldn't that slow the checking ?

Rather than try to store (uid, namespace) on the filesystem, I like the
idea of doing something like

	mount --bind -o ro --uidswap 500,1001 --uidswap 501,0 /home /home

In other words, when you unshare the user namespace, nothing
filesystem-related changes unless you also unshare the fs-namespace and
set uid info on the vfsmount.  This is fully backward-compatible and
should have no overhead if you don't need the feature.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux