Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Add support for per-user_namespace registers of persistent per-UID kerberos > > caches held within the kernel. > > Out of curiosity is this cache per user namspace because the key lookup > is per user namespace? Yes. You can't see keys in another namespace. I occasionally wonder if I should make the key serial number tree per namespace so that you don't search keys outside your namespace and can't try looking them up by ID - but it complicates the garbage collector which iterates over the entire tree (though it could maintain a list of per-ns trees). > Some minor nits below. But I don't see anything particulary scary about > this patch. Other than seeming to make it easy for root to get my > kerbose tickets. Root can do that anyway with file-based ccaches, I believe. However, you can change the key permissions to prevent root even seeing that your keys/keyrings exist, let alone stealing them. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
