[Devel] Re: [PATCH 0/3] keys: play nicely with user namespaces

David Howells dhowells at redhat.com
Fri Dec 19 03:17:42 PST 2008


Eric W. Biederman <ebiederm at xmission.com> wrote:

> So far the design is that user namespaces are disjoint with one specific
> exception.
> 
> The user who creates the user namespace is expected to have god like powers
> over all users in the created user namespace.

I see.

> When carefully implemented will allow a user namespace to be created with
> normal user permissions and for the user that created user namespace to
> manage the resources owned by users in that user namespace.

I'm not sure how to deal with this wrt keys.  There are two problems to
consider:

 (1) Should a key with UID 500 from namespace A in Serge's example be visible
     in namespace B?

     If such a key should show up in namespace B, should its UID be given as 0
     to userspace?

 (2) How is the quota controlled?  Do new keys made up under the domain of
     namespace B go to namespace B UID 0's quota?  Or do they come out of
     namespace A's UID 500 quota?

David
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list