From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: mtk.manpages@gmail.com,
Linux Containers <containers@lists.linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Kenton Varda <kenton@sandstorm.io>,
stable <stable@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups
Date: Thu, 12 Feb 2015 11:11:09 +0100 [thread overview]
Message-ID: <54DC7C3D.4040100@gmail.com> (raw)
In-Reply-To: <87egpwk0n3.fsf@x220.int.ebiederm.org>
On 02/11/2015 03:01 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Eric,
>>
>> Ping!
>>
>> Cheers,
>>
>> Michael
>>
>>
>> On 2 February 2015 at 16:37, Michael Kerrisk (man-pages)
>> <mtk.manpages@gmail.com> wrote:
>>> Hi Eric,
>>>
>>> Thanks for writing this up!
>>>
>>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote:
>>>>
>>>> Files with access permissions such as ---rwx---rwx give fewer
>>>> permissions to their group then they do to everyone else. Which means
>>>> dropping groups with setgroups(0, NULL) actually grants a process
>>>> privileges.
>>>>
>>>> The uprivileged setting of gid_map turned out not to be safe after
> ^^^^^^^^^^^
> unprivileged -- typo fix
Thanks for confirming.
>>>> this change. Privilege setting of gid_map can be interpreted as
>>>> meaning yes it is ok to drop groups.
>>>
>>> I had trouble to parse that sentence (and I'd like to make sure that
>>> the right sentence ends up in the commit message). Did you mean:
>>>
>>> "*Unprivileged* setting of gid_map can be interpreted as meaning
>>> yes it is ok to drop groups"
>>> ?
>>>
>>> Or something else?
>
>
> I meant: Setting of gid_map with privilege has been clarified to mean
> that dropping groups is ok. This allows existing programs that set
> gid_map with privilege to work without changes. That is newgidmap
> continues to work unchanged.
Thanks. I added that text to the changelog message.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
WARNING: multiple messages have this Message-ID (diff)
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: mtk.manpages@gmail.com,
Linux Containers <containers@lists.linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Kenton Varda <kenton@sandstorm.io>,
stable <stable@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups
Date: Thu, 12 Feb 2015 11:11:09 +0100 [thread overview]
Message-ID: <54DC7C3D.4040100@gmail.com> (raw)
In-Reply-To: <87egpwk0n3.fsf@x220.int.ebiederm.org>
On 02/11/2015 03:01 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Eric,
>>
>> Ping!
>>
>> Cheers,
>>
>> Michael
>>
>>
>> On 2 February 2015 at 16:37, Michael Kerrisk (man-pages)
>> <mtk.manpages@gmail.com> wrote:
>>> Hi Eric,
>>>
>>> Thanks for writing this up!
>>>
>>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote:
>>>>
>>>> Files with access permissions such as ---rwx---rwx give fewer
>>>> permissions to their group then they do to everyone else. Which means
>>>> dropping groups with setgroups(0, NULL) actually grants a process
>>>> privileges.
>>>>
>>>> The uprivileged setting of gid_map turned out not to be safe after
> ^^^^^^^^^^^
> unprivileged -- typo fix
Thanks for confirming.
>>>> this change. Privilege setting of gid_map can be interpreted as
>>>> meaning yes it is ok to drop groups.
>>>
>>> I had trouble to parse that sentence (and I'd like to make sure that
>>> the right sentence ends up in the commit message). Did you mean:
>>>
>>> "*Unprivileged* setting of gid_map can be interpreted as meaning
>>> yes it is ok to drop groups"
>>> ?
>>>
>>> Or something else?
>
>
> I meant: Setting of gid_map with privilege has been clarified to mean
> that dropping groups is ok. This allows existing programs that set
> gid_map with privilege to work without changes. That is newgidmap
> continues to work unchanged.
Thanks. I added that text to the changelog message.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2015-02-12 10:11 UTC|newest]
Thread overview: 187+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-29 17:26 [PATCH v2] userns: Disallow setgroups unless the gid_map writer is privileged Andy Lutomirski
[not found] ` <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-12-02 12:09 ` Eric W. Biederman
2014-12-02 12:09 ` Eric W. Biederman
[not found] ` <87h9xez20g.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 18:53 ` Andy Lutomirski
2014-12-02 18:53 ` Andy Lutomirski
[not found] ` <CALCETrXOz4C7Tu8mggBtR=k47ZmkuAhinVUxWJSFyS1Ep0HvRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 19:45 ` Eric W. Biederman
2014-12-02 19:45 ` Eric W. Biederman
[not found] ` <87mw75ygwp.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:13 ` Andy Lutomirski
2014-12-02 20:13 ` Andy Lutomirski
[not found] ` <CALCETrVfO4sBdZcQiZXsofPZMj7pqKeVbX+4g3dAj6WjUca+1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 20:25 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Eric W. Biederman
2014-12-02 20:25 ` Eric W. Biederman
[not found] ` <87fvcxyf28.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:28 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-02 20:28 ` Eric W. Biederman
2014-12-02 20:30 ` [CFT][PATCH 3/3] userns: Unbreak the unprivileged remount tests Eric W. Biederman
2014-12-02 20:30 ` Eric W. Biederman
[not found] ` <874mtdyexp.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 20:30 ` Eric W. Biederman
2014-12-02 21:05 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-02 21:05 ` Andy Lutomirski
[not found] ` <CALCETrXyC7XPaqj6oe-TmyypOVc_CkZbF6UAAx8YfkyD=gEMOQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 21:45 ` Eric W. Biederman
2014-12-02 21:45 ` Eric W. Biederman
2014-12-02 22:17 ` Andy Lutomirski
[not found] ` <CALCETrXkEOiyzpvqtXtk1f4sL+M1Q-Y6rV=K91ez3yv2nb4Y0Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 23:07 ` Eric W. Biederman
2014-12-02 23:07 ` Eric W. Biederman
[not found] ` <87388xodlj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 23:17 ` Andy Lutomirski
2014-12-02 23:17 ` Andy Lutomirski
2014-12-08 22:06 ` [CFT][PATCH 1/7] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-08 22:06 ` Eric W. Biederman
[not found] ` <87h9x5re41.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:07 ` [CFT][PATCH 2/7] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-08 22:07 ` Eric W. Biederman
[not found] ` <87bnndre2h.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:11 ` Andy Lutomirski
2014-12-08 22:11 ` Andy Lutomirski
2014-12-08 22:26 ` Eric W. Biederman
[not found] ` <87h9x5ok0h.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:33 ` Andy Lutomirski
2014-12-08 22:33 ` Andy Lutomirski
2014-12-08 22:17 ` Richard Weinberger
2014-12-08 22:17 ` Richard Weinberger
2014-12-08 22:17 ` Richard Weinberger
[not found] ` <5486237D.4060304-/L3Ra7n9ekc@public.gmane.org>
2014-12-08 22:25 ` Andy Lutomirski
2014-12-08 22:25 ` Andy Lutomirski
[not found] ` <CALCETrXSG5QN8J3GtZjLdV6T7j_uaMG=fyTDt27vEK0NpGs9qg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:27 ` Richard Weinberger
2014-12-08 22:27 ` Richard Weinberger
[not found] ` <548625E3.6020400-/L3Ra7n9ekc@public.gmane.org>
2014-12-08 22:39 ` Eric W. Biederman
[not found] ` <874mt5ojfh.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:47 ` Andy Lutomirski
2014-12-08 22:47 ` Andy Lutomirski
2014-12-08 22:27 ` Richard Weinberger
2014-12-08 22:07 ` [CFT][PATCH 3/7] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-08 22:07 ` Eric W. Biederman
2014-12-08 22:08 ` [CFT][PATCH 4/7] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-08 22:08 ` Eric W. Biederman
2014-12-08 22:12 ` Andy Lutomirski
[not found] ` <87y4qhpzfj.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:12 ` Andy Lutomirski
2014-12-08 22:10 ` [CFT][PATCH 5/7] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-08 22:10 ` Eric W. Biederman
[not found] ` <87sigppzch.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:15 ` Andy Lutomirski
2014-12-08 22:11 ` [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-08 22:11 ` Eric W. Biederman
[not found] ` <87mw6xpzb0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:21 ` Andy Lutomirski
2014-12-08 22:21 ` Andy Lutomirski
[not found] ` <CALCETrU-o5mPr1jCaLXDuuF6J2N470zAtx=8Fa-SjF=ZpdE8mQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:44 ` Eric W. Biederman
2014-12-08 22:44 ` Eric W. Biederman
[not found] ` <87ppbtn4mv.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:48 ` Andy Lutomirski
2014-12-08 22:48 ` Andy Lutomirski
[not found] ` <CALCETrXSScp77BUJR5NSTh5-RnEZ9rqELSGJBeEzgdQ-OtohuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 23:30 ` Eric W. Biederman
2014-12-08 23:30 ` Eric W. Biederman
[not found] ` <87a92xn2io.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 19:31 ` Eric W. Biederman
2014-12-09 19:31 ` Eric W. Biederman
[not found] ` <87r3w8liw4.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 20:36 ` [CFT][PATCH 1/8] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-09 20:36 ` Eric W. Biederman
[not found] ` <87iohklfvj.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 20:38 ` [CFT][PATCH 2/8] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-09 20:38 ` Eric W. Biederman
[not found] ` <87d27slfsw.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 3/8] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-09 20:39 ` Eric W. Biederman
[not found] ` <874mt4lfr6.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 23:00 ` Andy Lutomirski
2014-12-09 23:00 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 4/8] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-09 20:39 ` Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 5/8] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-09 20:41 ` Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 6/8] userns: Rename id_map_mutex to userns_state_mutex Eric W. Biederman
2014-12-09 20:41 ` Eric W. Biederman
[not found] ` <87mw6wk12i.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:42 ` [CFT][PATCH 7/8] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-09 20:42 ` Eric W. Biederman
2014-12-09 20:42 ` Eric W. Biederman
[not found] ` <87fvcok11h.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-09 22:28 ` Andy Lutomirski
2014-12-09 22:28 ` Andy Lutomirski
[not found] ` <CALCETrVfKiXuY=KY_=nHpkTyLWgpy_3DK=4Mr2mhpyX9z1TzrA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-10 0:04 ` Eric W.Biederman
2014-12-10 0:21 ` Andy Lutomirski
[not found] ` <CALCETrWpzvNm=fjOa3_+4QOqYP8qZUJvQAd6AsRZ71xyHZQRCg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-10 22:33 ` Eric W. Biederman
[not found] ` <87wq5zf83t.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 1:09 ` Eric W. Biederman
[not found] ` <87iohh3c9c.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 1:30 ` Andy Lutomirski
2014-12-12 1:30 ` Andy Lutomirski
2014-12-12 1:31 ` [CFT][PATCH v6] " Eric W. Biederman
[not found] ` <8761dh3b7k.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 21:52 ` [PATCH 0/2] Documenting user namespace changes Eric W. Biederman
2014-12-12 21:54 ` [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups Eric W. Biederman
2014-12-12 21:54 ` Eric W. Biederman
[not found] ` <87vblg1qme.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
[not found] ` <54CF9995.1050409-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-11 8:01 ` Michael Kerrisk (man-pages)
2015-02-11 8:01 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgWnZ=7E4bk3JhzFS88CJ32szYCYcm_Sx166yVuWKhhUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-11 13:51 ` Eric W. Biederman
2015-02-11 13:51 ` Eric W. Biederman
[not found] ` <8761b8lfoz.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-12 13:53 ` Michael Kerrisk (man-pages)
2015-02-12 13:53 ` Michael Kerrisk (man-pages)
[not found] ` <54DCB059.2020305-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-21 7:57 ` Michael Kerrisk (man-pages)
2015-02-21 7:57 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
[not found] ` <878uicy1r9.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 21:54 ` [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups Eric W. Biederman
2014-12-12 21:54 ` Eric W. Biederman
[not found] ` <87ppbo1ql4.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-11 8:02 ` Michael Kerrisk (man-pages)
2015-02-11 14:01 ` Eric W. Biederman
2015-02-11 14:01 ` Eric W. Biederman
2015-02-12 10:11 ` Michael Kerrisk (man-pages) [this message]
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
[not found] ` <87egpwk0n3.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhmwK02DJQV84S+dEdrUDjzRuR32j+2gcKkgeDq8jTkuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-11 14:01 ` Eric W. Biederman
[not found] ` <54CF99BF.8050401-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-02-11 8:02 ` Michael Kerrisk (man-pages)
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-02 21:31 ` Alban Crequy
2015-02-02 21:31 ` Alban Crequy
[not found] ` <CAMXgnP7phuYTko6fHnxjJTi=HRdoa32uH6dp8DyD9uWPWr2kAg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
[not found] ` <971ad3f6-90fd-4e3f-916c-8988af3c826d-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2014-12-10 0:21 ` [CFT][PATCH 7/8] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-09 20:43 ` [CFT][PATCH 8/8] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-09 20:43 ` Eric W. Biederman
2014-12-10 16:39 ` [CFT] Can I get some Tested-By's on this series? Eric W. Biederman
2014-12-10 16:39 ` Eric W. Biederman
2014-12-10 16:39 ` Eric W. Biederman
[not found] ` <87mw6vh31e.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-10 22:48 ` Serge Hallyn
2014-12-10 22:48 ` Serge Hallyn
2014-12-10 22:50 ` Richard Weinberger
2014-12-10 22:50 ` Richard Weinberger
[not found] ` <5488CE4D.1000606-/L3Ra7n9ekc@public.gmane.org>
2014-12-10 23:19 ` Eric W. Biederman
2014-12-10 23:19 ` Eric W. Biederman
[not found] ` <87r3w7f5yc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-11 19:27 ` Richard Weinberger
2014-12-11 19:27 ` Richard Weinberger
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-13 22:31 ` serge
2014-12-13 22:31 ` serge-A9i7LUbDfNHQT0dZR+AlfA
[not found] ` <87lhmcy2et.fsf@x220.int.ebiederm.org>
[not found] ` <20141212220840.GF22091@castiana.ipv6.teksavvy.com>
[not found] ` <8761dgze56.fsf@x220.int.ebiederm.org>
[not found] ` <8761dgze56.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 20:11 ` Eric W. Biederman
2014-12-15 20:11 ` Eric W. Biederman
[not found] ` <8761dcwu40.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-15 20:49 ` Serge Hallyn
2014-12-16 2:05 ` Andy Lutomirski
2014-12-16 2:05 ` Andy Lutomirski
[not found] ` <CALCETrWXp3eq2O068NZcd+KPCg+N2y0T57Q0JzHcZLjzq+mXLA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 9:23 ` Richard Weinberger
2014-12-16 9:23 ` Richard Weinberger
2014-12-16 9:23 ` Richard Weinberger
2014-12-08 23:30 ` [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-08 22:14 ` [CFT][PATCH 7/7] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-08 22:14 ` Eric W. Biederman
[not found] ` <87egs9pz5u.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-08 22:26 ` Andy Lutomirski
2014-12-08 22:26 ` Andy Lutomirski
[not found] ` <CALCETrXWx2-ZejEHmOi7aSoF-qJMRGR5yseeMhuurZwJRrQbUg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-08 22:06 ` [CFT][PATCH 1/7] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
[not found] ` <87a935u3nj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:17 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-02 21:05 ` Andy Lutomirski
2014-12-02 20:58 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Andy Lutomirski
2014-12-02 20:58 ` Andy Lutomirski
2014-12-02 20:58 ` Andy Lutomirski
[not found] ` <CALCETrXsQbCeQBUo_FrXNVS42mBEFXz1jku9TicVbFhxTmNGmA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 21:26 ` Eric W. Biederman
2014-12-02 21:26 ` Eric W. Biederman
[not found] ` <87bnnlvj43.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:09 ` Andy Lutomirski
2014-12-02 22:09 ` Andy Lutomirski
[not found] ` <CALCETrUJ9Qk553YSsYkjaeE-Qw0u_Pt1eoODUPX-udsO8kf14w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-02 22:48 ` Eric W. Biederman
2014-12-02 22:48 ` Eric W. Biederman
[not found] ` <87wq69pt0q.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-02 22:56 ` Andy Lutomirski
2014-12-02 22:56 ` Andy Lutomirski
2014-12-02 20:25 ` Eric W. Biederman
2014-12-02 18:53 ` [PATCH v2] userns: Disallow setgroups unless the gid_map writer is privileged Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54DC7C3D.4040100@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kenton@sandstorm.io \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.