From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Howells Subject: Re: [PATCH 0/3] keys: play nicely with user namespaces Date: Fri, 12 Dec 2008 16:42:06 +0000 Message-ID: <26177.1229100126@redhat.com> References: <20081212162220.GA15520@us.ibm.com> <20081212141707.GB9571@us.ibm.com> <20081211232323.GA8343@us.ibm.com> <3507.1229086294@redhat.com> <25987.1229097458@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20081212162220.GA15520-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux Containers , "Eric W. Biederman" List-Id: containers.vger.kernel.org Serge E. Hallyn wrote: > > I'm not sure, and that raises an interesting point. How do you alter the > > UID and GID of keys that you're copying? You may have a set of keys with > > different UIDs, for example. > > In fact that's the expectation, else why bother creating a new user > namespace :) > > Ok so my preference is to keep them segragated and always empty on > clone(CLONE_NEWUSER), and it sounds like that's the sanest thing right > now. Please shout if I'm misunderstanding. I think you're misunderstanding. You can have, say, a keyring owned by UID 1, with three keys owned by UIDs 2, 3 and 4, respectively, and you could be, say, running as UID 5. If you want to copy this keyring and these keys, do you just set the ownership of the copies to your new UID? That might give you extra privileges. David