Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > So far the design is that user namespaces are disjoint with one specific > exception. > > The user who creates the user namespace is expected to have god like powers > over all users in the created user namespace. I see. > When carefully implemented will allow a user namespace to be created with > normal user permissions and for the user that created user namespace to > manage the resources owned by users in that user namespace. I'm not sure how to deal with this wrt keys. There are two problems to consider: (1) Should a key with UID 500 from namespace A in Serge's example be visible in namespace B? If such a key should show up in namespace B, should its UID be given as 0 to userspace? (2) How is the quota controlled? Do new keys made up under the domain of namespace B go to namespace B UID 0's quota? Or do they come out of namespace A's UID 500 quota? David _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers