[PATCH 0/3] keys: play nicely with user namespaces

Eric W. Biederman ebiederm at xmission.com
Fri Dec 19 01:07:58 PST 2008


David Howells <dhowells at redhat.com> writes:

> Serge E. Hallyn <serue at us.ibm.com> wrote:
>
>> Yup - patch coming (probably next week) for that,
>
> Thanks.
>
>> but there's the question, given that user namespaces are hierarchical, of
>> whether, if pidns B is a child of pidns A created by userid 500, a task in
>> pidns A should see keys in userns B (listed as belonging to userid 500).
>
> Does that mean all the UIDs of B should be part of A?  Or is just UID 500
> inherited?  Or is UID 0 in B the same as UID 500 in A?

So far the design is that user namespaces are disjoint with one specific exception.

The user who creates the user namespace is expected to have god like powers over
all users in the created user namespace.

When carefully implemented will allow a user namespace to be created
with normal user permissions and for the user that created user
namespace to manage the resources owned by users in that user
namespace.

Eric


More information about the Containers mailing list