Hello Andy; > Which directory are you saying must belong to namespace root here? > You should not be able to read things in the underlay that the namespace > root could not read, and not write to overlay directories that your > namepsace root cannot write. If you could you could copy up protected > files into an overlay by specifying a protected underlay (think ~/over > overlaying on /etc) or overwrite profiled files by specifying a protected > overlay (think ~/under overlayed by /etc). Both upper and lower directory belong to uid 200 000 (which is uid 0 inside user namespace). The work directory is created by overlayfs itself under directory specified by workdir= option, with uid=0 ownership. I would like to emphasize that non-root process can write to a overlayfs mount with no problem. The issue arises only when process switches to its own user namespace. So, we have two scenarios: 1) a non-root process with uid of the owner of upper directory can perfectly write to an overlayfs mount 2) a non-root process with uid of the owner of upper directory sometimes gets denied writing to an overlayfs mount, but only if this process is inside its own user namespace and has uid=0 there Thank you. Regards, -- Alexey Naidyonov -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
