| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 May 2012 18:58:48 -0500 From: Serge Hallyn <serge@...lyn.com> To: "Eric W. Biederman" <ebiederm@...ssion.com>, Colin Walters <walters@...bum.org> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, linux-kernel@...r.kernel.org, Linux Containers <containers@...ts.linux-foundation.org> Subject: Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1 ----- Original message ----- > Colin Walters <walters@...bum.org> writes: > > > On Tue, 2012-05-22 at 12:48 -0600, Eric W. Biederman wrote: > > > > > My git tree covers all of the modifications needed to convert the > > > core kernel and enough changes to make a system bootable to runlevel > > > 1. > > > > What system? I'm curious about the state of your userspace > > modifications. > > Debian. > > Userspace won't need any modifications to work, but I am slowly working > through the patches needed to get everything in the kernel converted. > And my patches for the networking stack weren't quite ready for the > merge window. > > Ultimately to be included in distro kernels and really be useful I need > to make everything in the kernel that plays with uids and gids user > namespace aware so that is my goal for the next merge window. We will > see how that goes. > > As for patches to userspace, all I think I will need is a small change > to useradd, and perhaps a helper function to validate the mapping into > the initial user namespace's uids. Aka is user A allowed to use uids > 100,000-110,000? To elaborate, remember uids in a user ns each map to a uid on the host (to be precise, in the initial userns). Mapping to a uid on the host takes privilege. So a setuid tool (i have a poc coded) checks a /etc file to see whether the host uids requested by an unprivileged user are allowed to him. The useradd patch would be to fascilitate filling in ranges in that /etc file when the user is created. So serge may get 100000-109999, joe 110000-119999, etc. Nothing is needed in userspace just to boot a system with a user-ns-enabled kernel, or to have root use user namespaces (other than something to call clone with CLONE_NEWUSER). > I have a branch in my user-namespace.git with all of the rest of my > kernel changes if you want to play. Beyond that I expect most of the > user space changes (useradd etc) to land in ubuntu fairly shortly > after they are viable as I am working closely with a couple folks > at ubunut. > > Eric > > > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" > in the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists