user namespaces config option

Serge E. Hallyn serue at
Thu Aug 16 04:56:36 PDT 2007

Quoting Pavel Emelyanov (xemul at
> Hi, Cedric, Serge.
> I have noticed, that you have removed config options for
> uts and ipc namespaces but kept one for user namespace.
> What's the policy about what namespaces should have config
> option? I thought, that the only code that is worth having
> under option is clone/destroy one to save .text size for
> people who don't need them (embedded).

The user namespaces are under a config and marked experimental because
uid-based permission checks do not take namespaces into account and the
root user in a namespace is not at all controlled.  You can handle the
security implications using selinux, but I guess the fear is that people
would assume uid namespaces do more than they currently do.


More information about the Containers mailing list