user namespaces config option
Serge E. Hallyn
serue at us.ibm.com
Thu Aug 16 04:56:36 PDT 2007
Quoting Pavel Emelyanov (xemul at openvz.org):
> Hi, Cedric, Serge.
> I have noticed, that you have removed config options for
> uts and ipc namespaces but kept one for user namespace.
> What's the policy about what namespaces should have config
> option? I thought, that the only code that is worth having
> under option is clone/destroy one to save .text size for
> people who don't need them (embedded).
The user namespaces are under a config and marked experimental because
uid-based permission checks do not take namespaces into account and the
root user in a namespace is not at all controlled. You can handle the
security implications using selinux, but I guess the fear is that people
would assume uid namespaces do more than they currently do.
More information about the Containers