[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1338076728.1716.2.camel@Nokia-N900-51-1>
Date: Sat, 26 May 2012 18:58:48 -0500
From: Serge Hallyn <serge@...lyn.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>,
Colin Walters <walters@...bum.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org,
Linux Containers <containers@...ts.linux-foundation.org>
Subject: Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1
----- Original message -----
> Colin Walters <walters@...bum.org> writes:
>
> > On Tue, 2012-05-22 at 12:48 -0600, Eric W. Biederman wrote:
> >
> > > My git tree covers all of the modifications needed to convert the
> > > core kernel and enough changes to make a system bootable to runlevel
> > > 1.
> >
> > What system? I'm curious about the state of your userspace
> > modifications.
>
> Debian.
>
> Userspace won't need any modifications to work, but I am slowly working
> through the patches needed to get everything in the kernel converted.
> And my patches for the networking stack weren't quite ready for the
> merge window.
>
> Ultimately to be included in distro kernels and really be useful I need
> to make everything in the kernel that plays with uids and gids user
> namespace aware so that is my goal for the next merge window. We will
> see how that goes.
>
> As for patches to userspace, all I think I will need is a small change
> to useradd, and perhaps a helper function to validate the mapping into
> the initial user namespace's uids. Aka is user A allowed to use uids
> 100,000-110,000?
To elaborate, remember uids in a user ns each map to a uid on the host (to be precise, in the initial userns). Mapping to a uid on the host takes privilege. So a setuid tool (i have a poc coded) checks a /etc file to see whether the host uids requested by an unprivileged user are allowed to him. The useradd patch would be to fascilitate filling in ranges in that /etc file when the user is created. So serge may get 100000-109999, joe 110000-119999, etc.
Nothing is needed in userspace just to boot a system with a user-ns-enabled kernel, or to have root use user namespaces (other than something to call clone with CLONE_NEWUSER).
> I have a branch in my user-namespace.git with all of the rest of my
> kernel changes if you want to play. Beyond that I expect most of the
> user space changes (useradd etc) to land in ubuntu fairly shortly
> after they are viable as I am working closely with a couple folks
> at ubunut.
>
> Eric
>
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> in the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists