All of lore.kernel.org
 help / color / mirror / Atom feed
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Cc: Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
	Serge Hallyn
	<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Subject: Re: Getting userns enabled in vendor kernels
Date: Fri, 15 Nov 2013 00:52:14 -0800	[thread overview]
Message-ID: <87ob5moxmp.fsf@xmission.com> (raw)
In-Reply-To: <5285AEF1.6000503-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> (Gao feng's message of "Fri, 15 Nov 2013 13:19:45 +0800")

Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> writes:

> On 11/13/2013 11:13 PM, Daniel P. Berrange wrote:
>> 
>>   commit 5eaf563e53294d6696e651466697eb9d491f3946
>>   Author: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>>   Date:   Mon Nov 21 17:22:31 2011 -0800
>> 
>>     userns: Allow unprivileged users to create user namespaces.
>
> I don't know what's the benefit this commit brings and what's use
> case this commit tries to support.
>
> In most use case, the container/namespace is create by privilged
> user and the id-map can prevent unsafe things.
>
> IMO, I think this patch can be reverted.

This patch brings tremendous benefit, and by itself is completely safe.

It is the added ns_capable calls that are potentially dangerous, and it
seems you like the idea of taking advantage of those.

The goal is to not let anything that is not safe for an unprivileged
user to use happen in a user namespace.  One primary use for user
namespaces is separate administrative domains.  Aka allowing someone you
don't trust with root privileges to do things on your box.  You trust
them with shell access but that is another story.

So if it is safe enough in general for people with shell access to use
the functionality.  Restricting the creation of user namespaces to root
is silly.

Restricting user namespaces creation to root really is a form of
sticking your fingers in your, closesing your eyes, and going
la-la-la-la I can't hear you.  When faced with security issues.

For production use it is either as safe as the rest of the kernel or it
is not.  A sysctl so you can turn user namespaces on/off so you can
experiment with them while they are maturing is something that might be
reasonable.  But again that is another form of CYA.  But a likely a
reasonable CYA for a distroy kernel.

I intend to fix bugs and enable people to actually use their kernel not
run around and trying and point the blame for things that go wrong at
others.

And now back to my regularly scheduled bug fixing.

Eric

      parent reply	other threads:[~2013-11-15  8:52 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-13 15:13 Getting userns enabled in vendor kernels Daniel P. Berrange
     [not found] ` <20131113151330.GZ32643-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-11-13 16:30   ` Serge Hallyn
2013-11-14 15:52   ` James Bottomley
     [not found]     ` <1384444373.2005.8.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2013-11-14 17:44       ` Aristeu Rozanski
     [not found]         ` <20131114174401.GF12097-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-11-14 17:48           ` Serge E. Hallyn
2013-11-15  5:19   ` Gao feng
     [not found]     ` <5285AEF1.6000503-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-15  8:52       ` Eric W. Biederman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ob5moxmp.fsf@xmission.com \
    --to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org \
    --cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.