[PATCH 0/3] keys: play nicely with user namespaces
David Howells
dhowells at redhat.com
Fri Dec 19 03:17:42 PST 2008
Eric W. Biederman <ebiederm at xmission.com> wrote:
> So far the design is that user namespaces are disjoint with one specific
> exception.
>
> The user who creates the user namespace is expected to have god like powers
> over all users in the created user namespace.
I see.
> When carefully implemented will allow a user namespace to be created with
> normal user permissions and for the user that created user namespace to
> manage the resources owned by users in that user namespace.
I'm not sure how to deal with this wrt keys. There are two problems to
consider:
(1) Should a key with UID 500 from namespace A in Serge's example be visible
in namespace B?
If such a key should show up in namespace B, should its UID be given as 0
to userspace?
(2) How is the quota controlled? Do new keys made up under the domain of
namespace B go to namespace B UID 0's quota? Or do they come out of
namespace A's UID 500 quota?
David
More information about the Containers
mailing list