Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()

From: Andy Lutomirski
Date: Mon May 06 2024 - 17:53:53 EST

Next message: Samuel Thibault: "[PATCHv2] l2tp: Support several sockets with same IP/port quadruple"
Previous message: Alexey Makhalov: "[PATCH v9 0/8] VMware hypercalls enhancements"
In reply to: David Laight: "RE: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Next in thread: Christian Brauner: "Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 6, 2024 at 12:35 PM David Laight <David.Laight@xxxxxxxxxx> wrote:
>
> ...
> > So I want a way to give *an entire container* access to a directory.
> > Classic UNIX DAC is just *wrong* for this use case. Maybe idmaps
> > could learn a way to squash multiple ids down to one. Or maybe
> > something like my silly credential-capturing mount proposal could
> > work. But the status quo is not actually amazing IMO.
>
> Isn't that what gids are for :-)

I dunno. How, exactly, is a regular non-root user of a Linux computer
supposed to configure gids in their home directory so that a container
(which uses subgids, possibly dynamically allocated) gets access to
the correct thing? And why should that poor user need to think about
this at all?

--Andy

Next message: Samuel Thibault: "[PATCHv2] l2tp: Support several sockets with same IP/port quadruple"
Previous message: Alexey Makhalov: "[PATCH v9 0/8] VMware hypercalls enhancements"
In reply to: David Laight: "RE: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Next in thread: Christian Brauner: "Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]