On Fri, Feb 20, 2015 at 4:31 PM, Eric W. Biederman <[email protected]> wrote: > Andy Lutomirski <[email protected]> writes: > >> On Thu, Feb 19, 2015 at 8:38 AM, Alexander Larsson <[email protected]> wrote: >>> On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote: >>> >>>> - setuid / privileged helper. Why do you need a privileged helper? >>>> You should be able to do all of this using user namespaces. The >>>> Sandstorm code linked above does exactly this. >>> >>> I tried this a bit, but i ran into two snags i don't understand. >>> >>> First of all, as uid/gid 1000 i can put "1000 1000 1" >>> in /proc/self/uid_map from the child. However, i cannot put "1000 1000 >>> 1" into gid_map, as i get EPERM. >>> I don't understand this, is this not supposed to work? >> >> You need newer manpages :-/ Try the attached variant. > > Yeah. You need to disable setgroups for that to work. > >>> Secondly, i'm failing to mount another instance of devpts. It fails with >>> EINVAL. >> >> Hmm. Off the top of my head, there's no good reason that devpts with >> the newinstance option couldn't be allowed in a userns. Eric, any >> thoughts here? The patch would be straightforward. > > Looking at the code you have to have uid 0 and gid 0 mapped and you have > to specify newinstance. But devepts is mountable without being the > global root user.'
Wow, my grepping skills are nonexistent today. > > The restriction of having uid 0 and gid 0 mapped is just that /dev/ptmx is > and has alwasy been owned by root and so mknod_ptmx just won't let you > create a device inode as with a uid or gid you can't map. All we'd have to do is to add ptmx_uid and ptmx_gid options, right? I'll send a patch. --Andy > > Eric -- Andy Lutomirski AMA Capital Management, LLC _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
