Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > "Serge E. Hallyn" <serge@xxxxxxxxxx> writes: > > > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > > > > Hi, > > > >> +static bool verify_range(struct passwd *pw, struct map_range *range) > >> +{ > >> + /* An empty range is invalid */ > >> + if (range->count == 0) > >> + return false; > >> + > >> + /* Test /etc/subuid */ > >> + if (have_sub_uids(pw->pw_name, range->lower, range->count)) > >> + return true; > > > > I think the have_sub_uids() test should be skipped if we started > > out as root. Is there a reason not to do that? > > The only reason I can see for root to use this binary is if it a flavor > of root that has dropped some capbilities. Is there a reason for root > to use newuidmap and newgid map at all? Of course. It keeps things simpler for creating mapped containers. Otherwise we have to special-case the "i am root" vs "i am not root" case when untarring a rootfs for a container. > Otherwise I think it makes sense to enforce whatever the system choosen > policy is on root, because root is opting in. > > Eric > _______________________________________________ > Containers mailing list > Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > https://lists.linuxfoundation.org/mailman/listinfo/containers _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers