lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1324399763.25566.15.camel@lenny>
Date:	Tue, 20 Dec 2011 11:49:23 -0500
From:	Colin Walters <walters@...bum.org>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	"Serge E. Hallyn" <serge@...lyn.com>,
	LKML <linux-kernel@...r.kernel.org>, alan@...rguk.ukuu.org.uk,
	morgan@...nel.org, luto@....edu, kzak@...hat.com,
	Steve Grubb <sgrubb@...hat.com>
Subject: Re: chroot(2) and bind mounts as non-root

On Mon, 2011-12-19 at 01:22 -0800, Eric W. Biederman wrote:
> "
> As long as Colin only cares about being able to be the root user I
> agree.  

I don't actually need "pretend to be uid 0" functionality myself, but
the "fakeroot" case was cited on the user namespace page, and so I
wanted to understand how it works.

> If Colin needs several uids during his build that is trickier.
> But it sounds like Colin just needs to have a chroot build environment and
> for that a single user sounds good enough.

Right, just need chroot (and bind mounts).

> Being able to use the other namespaces to get a good isolation from the
> host environment is also nice and especially the pid namespace can
> guarantee that processes won't escape his build environment.

Yeah, CLONE_NEWPID is great.

> It is one of those worse is better implementation details but we can
> discuss that more when I start posting patches in January. 
> 
> I am not an immediate fan of writing random uids to disk.  Uids being
> persistent can be interesting to deal with if those uids are ever
> reused.

Right...

> Right now my implementation supports just 5 non-overlapping uid mapping
> ranges.  Which is enough to cover a lot of uids but still fit within one
> cacheline.  And I think to keep stat reasonable fast I want at to fit in
> a cacheline at least for now.  Oy.  Hopefully it isn't too hard to find
> some benchmarks to prove this out.  I expect the torture case is to
> time ls -l in a huge directory with a lot of files, owned by a lot of
> different users.

Where's the current user namespace tree?  The link on
https://wiki.ubuntu.com/UserNamespace is broken.

Is it:
http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=summary

?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ