Hello, Aleksa. On Fri, Jul 22, 2016 at 12:37:42AM +1000, Aleksa Sarai wrote: > > Ths is of course solvable using something like libpam-cgfs or > > libpam-cgm (and others). Since this sounds like a question of > > policy, not mechanism, userspace seems like the right place. Is > > there a downside to that (or, as Tejun put it, "delegating explicitly")? > > Having a PAM module requires getting an administrator to install the PAM > module (and also presumably audit it, not to mention convincing them that > your requirement to use containers are significant enough for them to do any > work). It's the same problem IMO. I understand that LXC allows you to do > this, but it requires that you get an administrator to *install* and support > LXC (as well as the shadow-utils setuid binaries too). There are cases where > you don't have the freedom to do that, and also "just get someone to give > you privileges temporarily" is again punting on the problem.
The administrator has to install a new kernel to get this feature from kernel side too. I don't think "to bypass admin" is a strong argument for a new kernel feature especially when it's likely to cause subtle issues as in this case. Thanks. -- tejun
