NAK: user namespace delta for raring?
Serge Hallyn
serge.hallyn at canonical.com
Tue Jan 22 20:51:47 UTC 2013
Quoting Eric W. Biederman (ebiederm at xmission.com):
> How does ls -l /proc/$pid/fd fail for the pid of a root login onto
> /dev/console? That just sounds weird.
It gets permission denied. If I log into both tty1 and tty2, from tty2
I can look at /proc/pid/fd for other (root-owned) gettys, but not for
(root-owned) /bin/login. This is doing it through sudo.o
Ok, I see. Much of the contents of /proc in the container is owned by
root on the host (nobody:nogroup in the container). Note that /proc is
mounted from inside the container, after the uid mapping has been setup,
and after doing setgid(0); setuid(0);.
On the bright side, this is not a change with/without the dropped
patches (on the downside, it's a problem - that is, unimplemented
feature which will cause annoying niggles in userspace) in the current
full patchset :)
So, with the additional patches dropped I still see no adverse effects,
which hopefully will make pushing the remainder into 3.9 easier :)
thanks,
-serge
More information about the kernel-team
mailing list