LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

user namespace and uid namespace

user namespace and uid namespace

Posted Apr 3, 2011 11:02 UTC (Sun) by ebiederm (subscriber, #35028)
In reply to: user namespace and uid namespace by mfedyk
Parent article: The 2.6.39 merge window concludes

The uid/user namespace that went in around 2.6.27 is the same one under discussion. Unfortunately the implementation was massively incomplete and did not handle the case of where anything from different user namespaces were mixed.

In particular the user namespace is still moving in the direction of converting all of the checks from simple uid equality to comparing the tuple of usernamespace and uid.

The specific question about remounting a filesystem, the filesystem of piece of the permission checks has yet to be updated.

The reason getting a full set of capabilities will be harmless is because it is actually equivalent to dropping all capabilties. The capabilities will only apply to objects and namespaces created after you create the user namespace. So once properly implemented you simply won't be able to do anything dangerous but you will be able to use facilities that today are root only, only because suid root applications could be spoofed.

Eric

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds