Re: Allowing mapping supplemental groups in user namespace?

2019-03-28 Thread Dmitry Torokhov
On Thu, Mar 28, 2019 at 11:37 AM Serge E. Hallyn wrote: > > On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > > Hi Serge, > > > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > > Hi Eric,

Re: Allowing mapping supplemental groups in user namespace?

2019-03-28 Thread Serge E. Hallyn
On Thu, Mar 28, 2019 at 11:30:52AM -0700, Dmitry Torokhov wrote: > Hi Serge, > > On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > > Hi Eric, > > > > > > Currently, unless caller has CAP_SETGID in parent

Re: Allowing mapping supplemental groups in user namespace?

2019-03-28 Thread Dmitry Torokhov
Hi Serge, On Thu, Mar 28, 2019 at 11:05 AM Serge E. Hallyn wrote: > > On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > > Hi Eric, > > > > Currently, unless caller has CAP_SETGID in parent namespace, we can > > only map effective group id in the new user namespace. Would it be >

Re: Allowing mapping supplemental groups in user namespace?

2019-03-28 Thread Serge E. Hallyn
On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote: > Hi Eric, > > Currently, unless caller has CAP_SETGID in parent namespace, we can > only map effective group id in the new user namespace. Would it be > possible to relax this rule to also allow mapping of supplemental > groups

Allowing mapping supplemental groups in user namespace?

2019-02-28 Thread Dmitry Torokhov
Hi Eric, Currently, unless caller has CAP_SETGID in parent namespace, we can only map effective group id in the new user namespace. Would it be possible to relax this rule to also allow mapping of supplemental groups (1:1) of the caller? Thanks. -- Dmitry