Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> "Serge E. Hallyn" <serge@xxxxxxxxxx> writes:
>
> > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> >
> > Hi,
> >
> >> +static bool verify_range(struct passwd *pw, struct map_range *range)
> >> +{
> >> + /* An empty range is invalid */
> >> + if (range->count == 0)
> >> + return false;
> >> +
> >> + /* Test /etc/subuid */
> >> + if (have_sub_uids(pw->pw_name, range->lower, range->count))
> >> + return true;
> >
> > I think the have_sub_uids() test should be skipped if we started
> > out as root. Is there a reason not to do that?
>
> The only reason I can see for root to use this binary is if it a flavor
> of root that has dropped some capbilities. Is there a reason for root
> to use newuidmap and newgid map at all?
Of course. It keeps things simpler for creating mapped containers.
Otherwise we have to special-case the "i am root" vs "i am not root"
case when untarring a rootfs for a container.
> Otherwise I think it makes sense to enforce whatever the system choosen
> policy is on root, because root is opting in.
>
> Eric
> _______________________________________________
> Containers mailing list
> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
