On Mon, May 6, 2024 at 12:35 PM David Laight <David.Laight@xxxxxxxxxx> wrote: > > ... > > So I want a way to give *an entire container* access to a directory. > > Classic UNIX DAC is just *wrong* for this use case. Maybe idmaps > > could learn a way to squash multiple ids down to one. Or maybe > > something like my silly credential-capturing mount proposal could > > work. But the status quo is not actually amazing IMO. > > Isn't that what gids are for :-) I dunno. How, exactly, is a regular non-root user of a Linux computer supposed to configure gids in their home directory so that a container (which uses subgids, possibly dynamically allocated) gets access to the correct thing? And why should that poor user need to think about this at all? --Andy
