From: David Howells <dhowells@redhat.com>
To: ebiederm@xmission.com (Eric W. Biederman)
Cc: dhowells@redhat.com, keyrings@linux-nfs.org,
linux-nfs@vger.kernel.org, krbdev@mit.edu,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
linux-kernel@vger.kernel.org, simo@redhat.com
Subject: Re: [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
Date: Fri, 02 Aug 2013 18:00:30 +0100 [thread overview]
Message-ID: <7202.1375462830@warthog.procyon.org.uk> (raw)
In-Reply-To: <87ob9hovop.fsf@xmission.com>
Eric W. Biederman <ebiederm@xmission.com> wrote:
> > Add support for per-user_namespace registers of persistent per-UID kerberos
> > caches held within the kernel.
>
> Out of curiosity is this cache per user namspace because the key lookup
> is per user namespace?
Yes. You can't see keys in another namespace. I occasionally wonder if I
should make the key serial number tree per namespace so that you don't search
keys outside your namespace and can't try looking them up by ID - but it
complicates the garbage collector which iterates over the entire tree (though
it could maintain a list of per-ns trees).
> Some minor nits below. But I don't see anything particulary scary about
> this patch. Other than seeming to make it easy for root to get my
> kerbose tickets.
Root can do that anyway with file-based ccaches, I believe. However, you can
change the key permissions to prevent root even seeing that your keys/keyrings
exist, let alone stealing them.
next prev parent reply other threads:[~2013-08-02 17:00 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-01 17:38 [RFC][PATCH 0/2] KEYS: Kerberos caching support David Howells
2013-08-01 17:38 ` [PATCH 1/2] KEYS: Implement a big key type that can save to tmpfs David Howells
2013-08-02 20:49 ` Nico Williams
2013-08-02 20:50 ` Nico Williams
2013-08-08 14:46 ` David Howells
2013-08-09 16:24 ` Nico Williams
2013-08-01 17:39 ` [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches David Howells
2013-08-01 17:54 ` Daniel Kahn Gillmor
2013-08-01 18:29 ` Simo Sorce
2013-08-01 18:55 ` Daniel Kahn Gillmor
2013-08-01 19:10 ` Simo Sorce
2013-08-02 17:50 ` David Howells
2013-08-02 17:12 ` David Howells
2013-08-01 23:09 ` Eric W. Biederman
2013-08-02 17:00 ` David Howells [this message]
2013-08-02 17:05 ` David Howells
2013-08-02 17:44 ` Eric W. Biederman
2013-08-02 13:55 ` Jeff Layton
2013-08-02 14:16 ` Simo Sorce
2013-08-02 16:53 ` David Howells
2013-08-02 17:00 ` Simo Sorce
2013-08-02 17:02 ` David Howells
2013-08-02 17:13 ` Jeff Layton
2013-08-02 20:20 ` Nico Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7202.1375462830@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=keyrings@linux-nfs.org \
--cc=krbdev@mit.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.