OpenVZ Forum


Home » Mailing lists » Devel » Re: Re: [RFC][PATCH 0/2] user namespace [try #2]
Re: [RFC][PATCH 0/2] user namespace [try #2] [message #6081 is a reply to message #6073] Thu, 07 September 2006 18:18 Go to previous messageGo to previous message
ebiederm is currently offline  ebiederm
Messages: 1354
Registered: February 2006
Senior Member
Kirill Korotaev <dev@sw.ru> writes:

> yes, these patches are usable for OpenVZ AS IS, so I'm not sure
> why we can't do step by step and commit. However I posted some comments on
> patches...
>
> Eric do you have some STRONG objections (maybe I just missed it somewhere)?

- We do not handle interactions between processes in different uid namespaces
and still have the normal uid equality checks.
- I am willing to be convinced that this is a nuclear missile the user is
allowed to shoot themselves in the foot with if someone can show me how
to use the current version safely.

A lot of this scares me silly as when ever you touch the primary identifier
in the security checks you must be very very very careful. My gut feeling
is that I'm nowhere near paranoid enough and the rest of you aren't even
paranoid.

What I want to see is that every uid identity check becomes either
a struct user comparison or a uid, uid_ns tuple comparison.

Eric

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Previous Topic: Re: pspace name
Next Topic: [RFC][PATCH] Add pspace to task_struct
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Nov 26 16:50:35 GMT 2025

Total time taken to generate the page: 0.21387 seconds
Powered by FUDforum Powered by Virtuozzo Containers