lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 29 Apr 2013 14:45:46 -0500
From:	Rob Landley <rob@...dley.net>
To:	richard -rw- weinberger <richard.weinberger@...il.com>
Cc:	Michael Kerrisk-manpages <mtk.manpages@...il.com>,
	linux-man <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	Serge Hallyn <serge.hallyn@...ntu.com>,
	lkml <linux-kernel@...r.kernel.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Vasily Kulikov <segoon@...nwall.com>
Subject: Re: For review: user_namespaces(7) man page

On 04/29/2013 02:45:45 AM, richard -rw- weinberger wrote:
> On Thu, Mar 21, 2013 at 4:52 PM, Michael Kerrisk (man-pages)
> <mtk.manpages@...il.com> wrote:
> > Hi Serge,
> >
> > On Fri, Mar 15, 2013 at 4:38 PM, Serge Hallyn  
> <serge.hallyn@...ntu.com> wrote:
> >> Hi,
> >>
> >> you mention that after creating a new user namespace you at first  
> have
> >> all capabilities in the new ns.  You don't explicitly mention (or I
> >> missed it - I did see the mention of securebits) that if you want  
> to
> >> keep those capabilities after doing an exec, you need to first have
> >> something mapped to uid 0 in the userns, and do setuid(0).
> >
> > Good point. I'll add something on that.
> >
> >> You might not want to list manpages from other projects,
> >
> > Actually, not a problem. Many of the pages in my set already do  
> this.
> >
> >> but Eric's
> >> shadow patches introduce some good new manpages as well.  Those  
> aren't yet
> >> accepted upstream, but if/when they are then mention at least of
> >> subuid(5), subgid(5), and newuidmap(1) and newgidmap(1) might be  
> good.
> >
> > I'll add those.
> >
> > Cheers,
> >
> > Michael
> 
> Can we please also document which capabilities are useless within an
> user namespace?
> E.g. CAP_MKNOD.
> You get this capability but the kernel always checks it against the
> initial userns.

Is there a device namespace?

I vaguely recall OpenVZ implemented moving individual PCI devices into  
containers so some large movie company could put one video card in each  
container for render farms. There are lots of devices that aren't  
_really_ privileged (/dev/zero, /dev/null, /dev/full, /dev/ram) and  
more that could be emulated...

(Really this seems like a situation where devtmpfs needs -o newinstance  
and a corresponding filtered event netlink feed to pass to udev/mdev.  
And that might even have been feasible before Greg decided that  
devtmpfs needed to have opinions about uids. Oh well.)

Rob--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ