Josh Triplett <josh@xxxxxxxxxxxxxxxx> writes: > Analogous to the supplementary GID list, the supplementary UID list > provides a set of additional user credentials that a process can act as. > A process with CAP_SETUID can set its UID list arbitrarily; a process > without CAP_SETUID can only reduce its UID list. > > This allows each user to have a set of UIDs that they can then use to > further sandbox individual child processes without first escalating to > root to change UIDs. For instance, a PAM module could give each user a > block of UIDs to work with. A couple of quick comments on this patch. 1) user namespaces already allow you to do this. 2) After having looked at the group case I am afraid this intersects in an unfortunate way with user namespaces. 3) This intersects in a very unfortunate way with setresuid. Applications that today know they are dropping all privileges won't be dropping all privielges with this change. Which sounds like a recipe for a security exploit to me. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
