On December 9, 2014 4:28:38 PM CST, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >On Tue, Dec 9, 2014 at 12:42 PM, Eric W. Biederman ><ebiederm@xxxxxxxxxxxx> wrote: >> >> - Expose the knob to user space through a proc file >/proc/<pid>/setgroups >> >> A value of "deny" means the setgroups system call is disabled in >the >> current processes user namespace and can not be enabled in the >> future in this user namespace. >> >> A value of "allow" means the segtoups system call is enabled. >> >> - Descendant user namespaces inherit the value of setgroups from >> their parents. >> >> - A proc file is used (instead of a sysctl) as sysctls >> currently do not pass in a struct file so file_ns_capable >> is unusable. > >Reviewed-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > >But I still don't like the name "setgroups". People may look at that >and have no clue what the scope of the setting is. And anyone who, as >root, writes "deny" to /proc/self/setgroups, thinking that it acts on >self, will be in for a surprise. True setgroups isn't perfect. Documenting it in a manpage may have to be enough. The only real improvement I can think of would be to make the setting a sysctl. But I think pursuing that approaches the point where perfection is the enemy of getting this problem fixed. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
