NAK: user namespace delta for raring?
Eric W. Biederman
ebiederm at xmission.com
Tue Jan 22 21:02:29 UTC 2013
Serge Hallyn <serge.hallyn at canonical.com> writes:
> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> How does ls -l /proc/$pid/fd fail for the pid of a root login onto
>> /dev/console? That just sounds weird.
>
> It gets permission denied. If I log into both tty1 and tty2, from tty2
> I can look at /proc/pid/fd for other (root-owned) gettys, but not for
> (root-owned) /bin/login. This is doing it through sudo.o
>
> Ok, I see. Much of the contents of /proc in the container is owned by
> root on the host (nobody:nogroup in the container). Note that /proc is
> mounted from inside the container, after the uid mapping has been setup,
> and after doing setgid(0); setuid(0);.
>
> On the bright side, this is not a change with/without the dropped
> patches (on the downside, it's a problem - that is, unimplemented
> feature which will cause annoying niggles in userspace) in the current
> full patchset :)
Yes. I don't know if we can easily make dumpable more granular or not.
The good thing is that /proc is now finally failing safe. Instead of
OMG you can touch this file or that file in /proc from inside of a
container it is. Darn it this /proc bit doesn't work.
Would starting the container without privilege and using newuidmap and
newgidmap during startup avoid the privilege change that makes things
undumpable?
> So, with the additional patches dropped I still see no adverse effects,
> which hopefully will make pushing the remainder into 3.9 easier :)
Yes. It is good to confirm what the important parts. And it is good
to stop scaring the ubuntu kernel developers with lots of patches you
don't need.
Eric
More information about the kernel-team
mailing list