Re: [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches

From: David Howells
Date: Fri Aug 02 2013 - 13:00:48 EST

Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:

> > Add support for per-user_namespace registers of persistent per-UID kerberos
> > caches held within the kernel.
> Out of curiosity is this cache per user namspace because the key lookup
> is per user namespace?

Yes. You can't see keys in another namespace. I occasionally wonder if I
should make the key serial number tree per namespace so that you don't search
keys outside your namespace and can't try looking them up by ID - but it
complicates the garbage collector which iterates over the entire tree (though
it could maintain a list of per-ns trees).

> Some minor nits below. But I don't see anything particulary scary about
> this patch. Other than seeming to make it easy for root to get my
> kerbose tickets.

Root can do that anyway with file-based ccaches, I believe. However, you can
change the key permissions to prevent root even seeing that your keys/keyrings
exist, let alone stealing them.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at