On Tue, May 07, 2024 at 01:38:42PM -0700, Andy Lutomirski wrote: > On Tue, May 7, 2024 at 12:42 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > > > With my kernel hat on, maybe I agree. But with my *user* hat on, I > > > think I pretty strongly disagree. Look, idmapis lousy for > > > unprivileged use: > > > > > > $ install -m 0700 -d test_directory > > > $ echo 'hi there' >test_directory/file > > > $ podman run -it --rm > > > --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > > > > $ podman run -it --rm --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > > > > as an unprivileged user doesn't use idmapped mounts at all. So I'm not > > sure what this is showing. I suppose you're talking about idmaps in > > general. > > Meh, fair enough. But I don't think this would have worked any better > with privilege. > > Can idmaps be programmed by an otherwise unprivileged owner of a > userns and a mountns inside? Yes, but only for userns mountable filesystems that support idmapped mounts. IOW, you need privilege over the superblock and the idmapping you're trying to use. > > > Many idmappings to one is in principle possible and I've noted that idea > > down as a possible extension at > > https://github.com/uapi-group/kernel-features quite a while (2 years?) ago. > > > > > I haven't looked at the idmap implementation nearly enough to have any > > > opinion as to whether squashing UID is practical or whether there's > > > > It's doable. The interesting bit to me was that if we want to allow > > writes we'd need a way to determine what the uid/gid would be to write > > down. Imho, that's not super difficult to solve though. The most obvious > > one is that userspace can just determine it when creating the idmapped > > mount. > > Seems reasonable to me. If this is set up by someone unprivileged, it > would need to be that uid/gid.
