From mboxrd@z Thu Jan 1 00:00:00 1970 From: serue@us.ibm.com Subject: Re: [PATCH 0/3] New system call, unshare Date: Wed, 10 Aug 2005 09:18:49 -0500 Message-ID: <20050810141849.GA5639@serge.austin.ibm.com> References: <878xz9dgv4.fsf@mid.deneb.enyo.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Janak Desai , viro@parcelfarce.linux.theplanet.co.uk, sds@tycho.nsa.gov, linuxram@us.ibm.com, ericvh@gmail.com, dwalsh@redhat.com, jmorris@redhat.com, akpm@osdl.org, torvalds@osdl.org, gh@us.ibm.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Return-path: Received: from e32.co.us.ibm.com ([32.97.110.130]:52982 "EHLO e32.co.us.ibm.com") by vger.kernel.org with ESMTP id S965125AbVHJOVM (ORCPT ); Wed, 10 Aug 2005 10:21:12 -0400 To: Florian Weimer Content-Disposition: inline In-Reply-To: <878xz9dgv4.fsf@mid.deneb.enyo.de> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Quoting Florian Weimer (fw@deneb.enyo.de): > * Janak Desai: > > > With unshare, namespace setup can be done using PAM session > > management functions without patching individual commands. > > I don't think it's a good idea to use security-critical code well Note that this patch is not removing the CAP_SYS_ADMIN requirement, just allowing the operation to happen outside of clone(). Unlike domain transitions in selinux, which should be tied to exec() so as to tie them to known code, I don't see what clone() would provide in terms of safety which we are losing. > without its original specification. Clearly the current situation > sucks, but this is mainly a lack of PAM functionality, IMHO. I'm not sure this is to do with PAM functionality, rather than just its design. Is there a way of "fixing" pam so that we don't need unshare()? thanks, -serge