Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> So far the design is that user namespaces are disjoint with one specific
> exception.
>
> The user who creates the user namespace is expected to have god like powers
> over all users in the created user namespace.
I see.
> When carefully implemented will allow a user namespace to be created with
> normal user permissions and for the user that created user namespace to
> manage the resources owned by users in that user namespace.
I'm not sure how to deal with this wrt keys. There are two problems to
consider:
(1) Should a key with UID 500 from namespace A in Serge's example be visible
in namespace B?
If such a key should show up in namespace B, should its UID be given as 0
to userspace?
(2) How is the quota controlled? Do new keys made up under the domain of
namespace B go to namespace B UID 0's quota? Or do they come out of
namespace A's UID 500 quota?
David
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
