lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070806130904.GC23642@sergelap.austin.ibm.com>
Date:	Mon, 6 Aug 2007 08:09:04 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Michael Kerrisk <mtk-manpages@....net>,
	"Serge E. Hallyn" <serue@...ibm.com>,
	lkml <linux-kernel@...r.kernel.org>,
	Kirill Korotaev <dev@...nvz.org>,
	Herbert Poetzl <herbert@...hfloor.at>,
	Andrey Savochkin <saw@...ru>, Adrian Bunk <bunk@...sta.de>,
	Cedric Le Goater <clg@...ibm.com>,
	Chris Wright <chrisw@...s-sol.org>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	James Morris <jmorris@...ei.org>,
	Andrew Morgan <agm@...gle.com>
Subject: Re: CLONE_NEWUSER documentation

Quoting Eric W. Biederman (ebiederm@...ssion.com):
> Michael Kerrisk <mtk-manpages@....net> writes:
> 
> > Hello Serge,
> >
> > In 2.6.23-rc, your patch to add support for CLONE_NEWUSER is included.  Is
> > there there some for-userland-programmers documentation of this flag
> > somewhere?  Would you be able to send some documentation to me (ideally as
> > a patch to the clone.2 man page, but otherwise some plain text will do).
> >
> > If this flag is also supported for unshare(), then could you please send me
> > a patch/text for that too?
> 
> Currently this namespace is a work in progress marked with CONFIG_EXPERIMENTAL
> because it is very much still experimental and under development.
> 
> There may be other omissions but the one I am most aware of is that
> the in kernel user and group equality comparisons have not become been
> transformed from the form uid1 == uid2 to user_namespace1 == user_namespace2 &&
> uid1 == uid2.

I think the two main omissions are that one, and the fact that there is
no concept of a capability mask or per-namespace/cross-namespace
capabilities.  What is implemented is separate accounting for the same
uid in different namespaces.

Until the shortcomings are addressed, depending on one's use case, one
may want to use selinux to control access across user namespaces.

> Until that happens that user namespace remains incomplete and not very
> useful.  So the advice to users for now that unless they want to help
> finish this up do not use.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ