From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Morton Subject: Re: [PATCH 1/6] user namespace : add the framework Date: Sun, 15 Jul 2007 18:31:32 -0700 Message-ID: <20070715183132.e31a2064.akpm@linux-foundation.org> References: <20070604193957.GA19331@sergelap.austin.ibm.com> <20070604194024.GA21703@sergelap.austin.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20070604194024.GA21703-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org, David Howells , xemul-3ImXcnM4P+0@public.gmane.org List-Id: containers.vger.kernel.org On Mon, 4 Jun 2007 14:40:24 -0500 "Serge E. Hallyn" wrote: > Add the user namespace struct and framework > > Basically, it will allow a process to unshare its user_struct table, resetting > at the same time its own user_struct and all the associated accounting. > > A new root user (uid == 0) is added to the user namespace upon creation. Such > root users have full privileges and it seems that theses privileges should be > controlled through some means (process capabilities ?) The whole magical-uid-0-user thing in this patch seem just wrong to me. I'll merge it anyway, mainly because I want to merge _something_ (why oh why do the git-tree guys leave everything to the last minute?) but it strikes me that there's something fundamentally wrong whenever the kernel starts "knowing" about the significance of UIDs in this fashion. It worries me.