1. Patchew
  2. linux
  3. View series

RE: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()

David Laight posted 3 patches 1 year, 7 months ago
Only 0 patches received!
RE: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()
Posted by David Laight 1 year, 7 months ago 
...
> So I want a way to give *an entire container* access to a directory.
> Classic UNIX DAC is just *wrong* for this use case.  Maybe idmaps
> could learn a way to squash multiple ids down to one.  Or maybe
> something like my silly credential-capturing mount proposal could
> work.  But the status quo is not actually amazing IMO.

Isn't that what gids are for :-)

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()
Posted by Andy Lutomirski 1 year, 7 months ago 
On Mon, May 6, 2024 at 12:35 PM David Laight <David.Laight@aculab.com> wrote:
>
> ...
> > So I want a way to give *an entire container* access to a directory.
> > Classic UNIX DAC is just *wrong* for this use case.  Maybe idmaps
> > could learn a way to squash multiple ids down to one.  Or maybe
> > something like my silly credential-capturing mount proposal could
> > work.  But the status quo is not actually amazing IMO.
>
> Isn't that what gids are for :-)

I dunno.  How, exactly, is a regular non-root user of a Linux computer
supposed to configure gids in their home directory so that a container
(which uses subgids, possibly dynamically allocated) gets access to
the correct thing?  And why should that poor user need to think about
this at all?

--Andy

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.