On Wed, Aug 10, 2005 at 04:08:31PM +0200, Florian Weimer wrote: > * Janak Desai: > > > With unshare, namespace setup can be done using PAM session > > management functions without patching individual commands. > > I don't think it's a good idea to use security-critical code well > without its original specification. Clearly the current situation > sucks, but this is mainly a lack of PAM functionality, IMHO.
Eh? We are talking about a primitive that has far more uses than PAM. This is a missing piece of the stuff done by clone() and fork(): each task is a virtual machine with sharable components. We can get a copy of machine with arbitrary set of components replaced with private copies. That's what clone() and fork() do. The thing missing from that set is taking a component (VM, descriptors, etc.) of process itself and making it private. The same thing we do on fork(), but without creating a new process. FWIW, I'm OK with that. IIRC, Linus ACKed the concept some time ago. PAM is one obvious use, but there's are other situations where the lack of that primitive is inconvenient... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/