Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Serge Hallyn <serge.hallyn@xxxxxxxxxx> writes:
>
> > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> >> "Serge E. Hallyn" <serge@xxxxxxxxxx> writes:
> >>
> >> > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> >> >
> >> > Hi,
> >> >
> >> >> +static bool verify_range(struct passwd *pw, struct map_range *range)
> >> >> +{
> >> >> + /* An empty range is invalid */
> >> >> + if (range->count == 0)
> >> >> + return false;
> >> >> +
> >> >> + /* Test /etc/subuid */
> >> >> + if (have_sub_uids(pw->pw_name, range->lower, range->count))
> >> >> + return true;
> >> >
> >> > I think the have_sub_uids() test should be skipped if we started
> >> > out as root. Is there a reason not to do that?
> >>
> >> The only reason I can see for root to use this binary is if it a flavor
> >> of root that has dropped some capbilities. Is there a reason for root
> >> to use newuidmap and newgid map at all?
> >
> > Of course. It keeps things simpler for creating mapped containers.
> > Otherwise we have to special-case the "i am root" vs "i am not root"
> > case when untarring a rootfs for a container.
>
> I guess my practical question is don't we want to reserve a range of
> subuid's for root owned containers as well. Just so that we know
> someone is using those uids and we don't get them allocated to another
> purpose?
>
> Or am I missing something here?
That's a not unreasonable argument, but two counters: 1. "someone"
using the uids used by root would mean root assigned those uids to
someone. That's a misconfiguration, in other words this is keeping
root from shooting himself in the foot. It's not in the kernel though,
so maybe it's ok. 2. I like to think that any time something fails
as my user, if it fails due to permission reasons, then if I run it
as root it should work. That's useful for debugging, and just seems
coherent with how most things work.
-serge
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
