On Sat, 21 Dec 2013 19:22:26 +0100 Andreas Gruenbacher <agruen@xxxxxxxxxx> wrote: > So far, POSIX ACLs are using a canonical representation that keeps all ACL > entries in a strict order; the ACL_USER and ACL_GROUP entries for specific > users and groups are ordered by user and group identifier, respectively. The > user-space code provides ACL entries in this order; the kernel verifies that > the ACL entry order is correct in posix_acl_valid(). > > User namespaces allow to arbitrary map user and group identifiers which can > cause the ACL_USER and ACL_GROUP entry order to differ between user space and > the kernel; posix_acl_valid() would then fail. > > Work around this by allowing ACL_USER and ACL_GROUP entries to be in any order > in the kernel. The effect is only minor: file permission checks will pick the > first matching ACL_USER entry, and check all matching ACL_GROUP entries. > > (The libacl user-space library and getfacl / setfacl tools will not create ACLs > with duplicate user or group idenfifiers; they will handle ACLs with entries in > an arbitrary order correctly.) Should this be backported into -stable kernels? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
