OpenVZ Forum: Devel » Re: Re: [RFC][PATCH 0/2] user namespace [try #2]

Home » Mailing lists » Devel » Re: Re: [RFC][PATCH 0/2] user namespace [try #2]

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [RFC][PATCH 0/2] user namespace [try #2] [message #6081 is a reply to message #6073]

Thu, 07 September 2006 18:18

ebiederm
Messages: 1354
Registered: February 2006

Senior Member

Kirill Korotaev <dev@sw.ru> writes:

> yes, these patches are usable for OpenVZ AS IS, so I'm not sure
> why we can't do step by step and commit. However I posted some comments on
> patches...
>
> Eric do you have some STRONG objections (maybe I just missed it somewhere)?

- We do not handle interactions between processes in different uid namespaces
and still have the normal uid equality checks.
- I am willing to be convinced that this is a nuclear missile the user is
allowed to shoot themselves in the foot with if someone can show me how
to use the current version safely.

A lot of this scares me silly as when ever you touch the primary identifier
in the security checks you must be very very very careful. My gut feeling
is that I'm nowhere near paranoid enough and the rest of you aren't even
paranoid.

What I want to see is that every uid identity check becomes either
a struct user comparison or a uid, uid_ns tuple comparison.

Eric

Report message to a moderator

[Message index]

		Re: Re: [RFC][PATCH 0/2] user namespace [try #2] By: dev on Thu, 07 September 2006 16:06
		Re: [RFC][PATCH 0/2] user namespace [try #2] By: ebiederm on Thu, 07 September 2006 18:18
		Re: [RFC][PATCH 0/2] user namespace [try #2] By: Herbert Poetzl on Thu, 07 September 2006 18:30

Previous Topic:	Re: pspace name
Next Topic:	[RFC][PATCH] Add pspace to task_struct

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Mon Sep 02 07:01:50 GMT 2024

Total time taken to generate the page: 0.05912 seconds