On Wed, 24 Jan 2007 12:58:45 -0600 "Serge E. Hallyn" <serue at us.ibm.com> wrote: > > If we need to I can see doing something special if the process setting > > fown has CAP_KILL > > Obviously CAP_KILL is insufficient :) I assume you mean a new > CAP_XNS_CAP_KILL? > > > and bypassing the security checks that way, but > > hard coding rules like that when it doesn't appear we have any > > experience to indicate we need the extra functionality looks > > premature. > > Ok, in this case actually I suspect you're right and we can just ditch > the exception. But in general the security discussion is one we should > still have. People like security. Where do we now stand with this patch, and with "[PATCH 4/8] user ns: hook permission"?