| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Aug 2013 18:00:30 +0100 From: David Howells <dhowells@...hat.com> To: ebiederm@...ssion.com (Eric W. Biederman) Cc: dhowells@...hat.com, keyrings@...ux-nfs.org, linux-nfs@...r.kernel.org, krbdev@....edu, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, linux-kernel@...r.kernel.org, simo@...hat.com Subject: Re: [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches Eric W. Biederman <ebiederm@...ssion.com> wrote: > > Add support for per-user_namespace registers of persistent per-UID kerberos > > caches held within the kernel. > > Out of curiosity is this cache per user namspace because the key lookup > is per user namespace? Yes. You can't see keys in another namespace. I occasionally wonder if I should make the key serial number tree per namespace so that you don't search keys outside your namespace and can't try looking them up by ID - but it complicates the garbage collector which iterates over the entire tree (though it could maintain a list of per-ns trees). > Some minor nits below. But I don't see anything particulary scary about > this patch. Other than seeming to make it easy for root to get my > kerbose tickets. Root can do that anyway with file-based ccaches, I believe. However, you can change the key permissions to prevent root even seeing that your keys/keyrings exist, let alone stealing them. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists