lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 14 May 2013 15:54:06 +0800
From:	Gao feng <gaofeng@...fujitsu.com>
To:	Rob Landley <rob@...dley.net>
CC:	richard -rw- weinberger <richard.weinberger@...il.com>,
	Michael Kerrisk-manpages <mtk.manpages@...il.com>,
	linux-man <linux-man@...r.kernel.org>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	Serge Hallyn <serge.hallyn@...ntu.com>,
	lkml <linux-kernel@...r.kernel.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Vasily Kulikov <segoon@...nwall.com>
Subject: Re: For review: user_namespaces(7) man page

On 04/30/2013 03:45 AM, Rob Landley wrote:
> On 04/29/2013 02:45:45 AM, richard -rw- weinberger wrote:
>> On Thu, Mar 21, 2013 at 4:52 PM, Michael Kerrisk (man-pages)
>> <mtk.manpages@...il.com> wrote:
>> > Hi Serge,
>> >
>> > On Fri, Mar 15, 2013 at 4:38 PM, Serge Hallyn <serge.hallyn@...ntu.com> wrote:
>> >> Hi,
>> >>
>> >> you mention that after creating a new user namespace you at first have
>> >> all capabilities in the new ns.  You don't explicitly mention (or I
>> >> missed it - I did see the mention of securebits) that if you want to
>> >> keep those capabilities after doing an exec, you need to first have
>> >> something mapped to uid 0 in the userns, and do setuid(0).
>> >
>> > Good point. I'll add something on that.
>> >
>> >> You might not want to list manpages from other projects,
>> >
>> > Actually, not a problem. Many of the pages in my set already do this.
>> >
>> >> but Eric's
>> >> shadow patches introduce some good new manpages as well.  Those aren't yet
>> >> accepted upstream, but if/when they are then mention at least of
>> >> subuid(5), subgid(5), and newuidmap(1) and newgidmap(1) might be good.
>> >
>> > I'll add those.
>> >
>> > Cheers,
>> >
>> > Michael
>>
>> Can we please also document which capabilities are useless within an
>> user namespace?
>> E.g. CAP_MKNOD.
>> You get this capability but the kernel always checks it against the
>> initial userns.
> 
> Is there a device namespace?
> 

No,and I don't think we need device namespace now.

> I vaguely recall OpenVZ implemented moving individual PCI devices into containers so some large movie company could put one video card in each container for render farms. There are lots of devices
> that aren't _really_ privileged (/dev/zero, /dev/null, /dev/full, /dev/ram) and more that could be emulated...

You can create these devices on host for container, and use device cgroup to limit which container can use these devices.

> 
> (Really this seems like a situation where devtmpfs needs -o newinstance and a corresponding filtered event netlink feed to pass to udev/mdev. And that might even have been feasible before Greg decided
> that devtmpfs needed to have opinions about uids. Oh well.)
> 
> Rob--
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ