Al Viro wrote:
> On Wed, Aug 10, 2005 at 04:08:31PM +0200, Florian Weimer wrote:
>
>>* Janak Desai:
>>
>>
>>>With unshare, namespace setup can be done using PAM session
>>>management functions without patching individual commands.
>>
>>I don't think it's a good idea to use security-critical code well
>>without its original specification. Clearly the current situation
>>sucks, but this is mainly a lack of PAM functionality, IMHO.
>
>
> Eh? We are talking about a primitive that has far more uses than
> PAM. This is a missing piece of the stuff done by clone() and fork():
> each task is a virtual machine with sharable components. We can
> get a copy of machine with arbitrary set of components replaced with
> private copies. That's what clone() and fork() do. The thing missing
> from that set is taking a component (VM, descriptors, etc.) of process
> itself and making it private. The same thing we do on fork(), but
> without creating a new process.
>
> FWIW, I'm OK with that. IIRC, Linus ACKed the concept some time ago.
> PAM is one obvious use, but there's are other situations where the lack
> of that primitive is inconvenient...
> -
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Thanks. In a few minutes, I will submit versions of these patches
that are ported and tested against 2.6.13-mm1.
-Janak