[PATCH v2 00/28] user_namespace: introduce fsid mappings
Florian Weimer
fw at deneb.enyo.de
Sun Feb 16 15:55:49 UTC 2020
* Christian Brauner:
> With fsid mappings we can solve this by writing an id mapping of 0
> 100000 100000 and an fsid mapping of 0 300000 100000. On filesystem
> access the kernel will now lookup the mapping for 300000 in the fsid
> mapping tables of the user namespace. And since such a mapping exists,
> the corresponding files will have correct ownership.
I'm worried that this is a bit of a management nightmare because the
data about the mapping does not live within the file system (it's
externally determined, static, but crucial to the interpretation of
file system content). I expect that many organizations have
centralized allocation of user IDs, but centralized allocation of the
static mapping does not appear feasible.
Have you considered a more complex design, where untranslated nested
user IDs are store in a file attribute (or something like that)? This
way, any existing user ID infrastructure can be carried over largely
unchanged.
More information about the Linux-security-module-archive
mailing list