On Tue, Apr 10, 2012 at 6:14 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Andrew Lutomirski <luto@xxxxxxx> writes: > >> On Tue, Apr 10, 2012 at 6:01 PM, Eric W. Biederman >> <ebiederm@xxxxxxxxxxxx> wrote: > >> Sounds like you're reinventing (something very similar to) >> no_new_privs. Why not just require no_new_privs as a prerequisite for >> creating a user namespace if you're unprivileged? > > As I said in the part of my email you snipped, because no_new_privs will > break suid exec in the user namespace. > > I am most definitely not going to require something that will make > implementing/using user namespaces almost pointless. This part: > Currently the suid exec will fail because the uid's don't map. > > I might switch that around to simply ignoring the change of uid > on suid exec. I have a patch in my devel tree that plays with > that idea. However as much as I hit that case once in testing > (I think it was ping). I don't think running suid executables > is particularly interesting. I'm totally lost now. I'll wait until I play around with the patches some more. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
