LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Serge E. Hallyn" <email@example.com>
To: "Eric W. Biederman" <firstname.lastname@example.org>
Cc: "Serge E. Hallyn" <email@example.com>, Ian Kent <firstname.lastname@example.org>,
Jeff Moyer <email@example.com>,
Andrew Morton <firstname.lastname@example.org>,
Kernel Mailing List <email@example.com>,
autofs mailing list <firstname.lastname@example.org>,
Pavel Emelyanov <email@example.com>
Subject: Re: [PATCH 3/4] autofs4 - track uid and gid of last mount requestor
Date: Mon, 3 Mar 2008 09:28:55 -0600 [thread overview]
Message-ID: <20080303152855.GB25643@sergelap.austin.ibm.com> (raw)
Quoting Eric W. Biederman (firstname.lastname@example.org):
> "Serge E. Hallyn" <email@example.com> writes:
> > The way the user namespaces work right now is similar to say the IPC
> > namespace - a task belongs to one user, that user belongs to precisely
> > one user namespace.
> > Even in my additional userns patches, I was changing uid to store the
> > (uid, userns) so a struct user still belonged to just one user
> > namespace.
> > In contrast, with pid namespaces a task is associated with a 'struct
> > pid' which links it to multiple process ids, one in each pid namespace
> > to which it belongs.
> > Perhaps we should be treating user namespaces like pid namespaces?
> > For autofs this would mean that when autofs wants a uid for some task,
> > it would be given the uid in the user namespace which autofs 'knows'.
> > It would also help me fix the siginfo problems I haven't solved yet -
> > rather than having to worry about user namespace lifetimes with siginfos
> > (which last a little while but have no clearly defined lifespan) we
> > could send the uid in an init user namespace or the uid in the target
> > uid namespace, or just a lightweight user struct proxy akin to 'struct
> > pid'.
> > And it also obviates the need for any sort of delegation.
> > So if I'm user 500 in what I think is the initial user namespace, I can
> > create a container with a new user namespace, the init task of which is
> > both uid 0 in the child userns, and uid 500 in the higher level,
> > automatically giving the container access to any files I own.
> > Eric, when you get a chance (I know you're overloaded atm) I'd love to
> > hear your thoughts on this...
> I think the concept of mapping uids between user namespaces is
> fundamental to properly describing and thinking about the semantics of
> user namespaces correct.
Earlier I had thought this could just be done using a special keyring,
but atm I'm thinking that would be far uglier than just having a
struct pid-like credential proxy in the kernel to pass around in place
> We don't have to start out anything except handling the case when
> no mapping exists, but asking the question how does this uid map
> between from one namespace to another is fundamental.
But in any case I'm happy letting other things like netns and related
sys be completed before prototyping this.
next prev parent reply other threads:[~2008-03-03 15:29 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-26 3:21 [PATCH 0/4] autofs4 - autofs needs a miscelaneous device for ioctls Ian Kent
2008-02-26 3:22 ` [PATCH 1/4] autofs4 - check for invalid dentry in getpath Ian Kent
2008-02-26 3:23 ` [PATCH 3/4] autofs4 - track uid and gid of last mount requestor Ian Kent
2008-02-26 5:14 ` [PATCH 3/4] autofs4 - track uid and gid of last mount requestor - correction Ian Kent
2008-02-28 4:45 ` [PATCH 3/4] autofs4 - track uid and gid of last mount requestor Andrew Morton
2008-02-28 6:22 ` Ian Kent
2008-02-28 6:37 ` Andrew Morton
2008-02-28 7:08 ` Ian Kent
2008-02-28 7:23 ` Andrew Morton
2008-02-28 8:00 ` Ian Kent
2008-02-28 17:13 ` Jeff Moyer
2008-02-28 19:51 ` Serge E. Hallyn
2008-02-29 3:32 ` Ian Kent
2008-02-29 16:09 ` Serge E. Hallyn
2008-02-29 16:20 ` Pavel Emelyanov
2008-02-29 17:42 ` Serge E. Hallyn
2008-03-02 0:49 ` Eric W. Biederman
2008-03-02 1:13 ` Eric W. Biederman
2008-03-03 15:28 ` Serge E. Hallyn [this message]
2008-03-04 22:16 ` Eric W. Biederman
2008-02-28 7:51 ` Pavel Emelyanov
2008-02-28 7:59 ` Andrew Morton
2008-02-28 8:06 ` Ian Kent
2008-02-28 12:31 ` [autofs] " Fabio Olive Leite
2008-02-28 20:33 ` Eric W. Biederman
2008-02-26 3:23 ` [PATCH 4/4] autofs4 - add miscelaneous device for ioctls Ian Kent
2008-02-28 5:17 ` Andrew Morton
2008-02-28 6:18 ` Ian Kent
2008-03-13 7:00 ` [RFC] " Ian Kent
2008-03-14 2:45 ` Ian Kent
2008-03-14 12:45 ` Thomas Graf
2008-03-14 14:10 ` Ian Kent
2008-02-29 16:24 ` Ian Kent
2008-04-11 7:02 ` Ian Kent
2008-04-12 4:03 ` Andrew Morton
2008-04-14 4:45 ` Ian Kent
2008-02-26 4:29 ` [PATCH 2/4] autofs4 - add mount option to display mount device Ian Kent
2008-02-28 5:17 ` Andrew Morton
2008-02-28 4:40 ` [PATCH 0/4] autofs4 - autofs needs a miscelaneous device for ioctls Andrew Morton
2008-02-28 6:07 ` Ian Kent
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--subject='Re: [PATCH 3/4] autofs4 - track uid and gid of last mount requestor' \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).