Gao feng <gaofeng@xxxxxxxxxxxxxx> writes: > On 11/13/2013 11:13 PM, Daniel P. Berrange wrote: >> >> commit 5eaf563e53294d6696e651466697eb9d491f3946 >> Author: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> >> Date: Mon Nov 21 17:22:31 2011 -0800 >> >> userns: Allow unprivileged users to create user namespaces. > > I don't know what's the benefit this commit brings and what's use > case this commit tries to support. > > In most use case, the container/namespace is create by privilged > user and the id-map can prevent unsafe things. > > IMO, I think this patch can be reverted. This patch brings tremendous benefit, and by itself is completely safe. It is the added ns_capable calls that are potentially dangerous, and it seems you like the idea of taking advantage of those. The goal is to not let anything that is not safe for an unprivileged user to use happen in a user namespace. One primary use for user namespaces is separate administrative domains. Aka allowing someone you don't trust with root privileges to do things on your box. You trust them with shell access but that is another story. So if it is safe enough in general for people with shell access to use the functionality. Restricting the creation of user namespaces to root is silly. Restricting user namespaces creation to root really is a form of sticking your fingers in your, closesing your eyes, and going la-la-la-la I can't hear you. When faced with security issues. For production use it is either as safe as the rest of the kernel or it is not. A sysctl so you can turn user namespaces on/off so you can experiment with them while they are maturing is something that might be reasonable. But again that is another form of CYA. But a likely a reasonable CYA for a distroy kernel. I intend to fix bugs and enable people to actually use their kernel not run around and trying and point the blame for things that go wrong at others. And now back to my regularly scheduled bug fixing. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
