Re: [PATCH -mm 5/7] add user namespace

[Eric W. Biederman]

"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:

> Rather than try to store (uid, namespace) on the filesystem, I like the
> idea of doing something like
>
> 	mount --bind -o ro --uidswap 500,1001 --uidswap 501,0 /home /home
>
> In other words, when you unshare the user namespace, nothing
> filesystem-related changes unless you also unshare the fs-namespace and
> set uid info on the vfsmount.  This is fully backward-compatible and
> should have no overhead if you don't need the feature.

Maybe.  I really think the sane semantics are in a different uid namespace.
So you can't assumes uids are the same.  Otherwise you can't handle open
file descriptors or files passed through unix domain sockets.

A user namespace is fundamentally about breaking the assumption that
you can test to see if two users are the same by comparing uids.
If you don't want to break that assumption don't use a user namespace.

Mapping uids is a separate but related problem that we probably need to
tackle in a generic manner, usable for network filesystems.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/