Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > "Serge E. Hallyn" <serge@xxxxxxxxxx> writes: > > > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > > >> A child user namespace having capabilities against processes in it's > >> parent seems totally bizarre and pretty dangerous from a capabilities > >> standpoint. > > > > How would it have them against its parent? > > init_user_ns > userns a --- created by kuid 1 Now a mapping needs to be set up (by a task with CAP_SYS_ADMIN in init_user_ns) which allows kuids 1 and 2 to be used by userns a. Otherwise (if no mapping is set up) userns a only has the overlowuid. Realistically only kuids over 100000 (let's say) would used. i.e. kuids 100,000-199,999 would map to container uids 0-99,999. > userns b -- created by kuid 2 Now a mapping needs to be set up (by a task with CAP_SYS_ADMIN in userns a) which allows kuids 1 and 2 to be used by userns b. If userns had been mapped with kuids 100,000-199,999 mapping to uids 0-99999, then only kuids in that range could be mapped into userns b. > process c in userns b with kuid 1 > > Serge read the first permisison check in common_cap. > Think what happens in the above example. > > For the rest I understand your concern. Ok. Then we can discuss my concern later (after the new year). > Serge please read and look at the patches I have posted to fix > the issues Andy found with the user namespace tree. Especially > the fix to commit_creds. The setns fixes were IMO the most important - and interesting - ones :) Thanks, Andy! > After you have looked at the patches to fix the issues I will > be happy to discuss things further with you. Thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
