On Sat, Apr 19, 2025 at 11:04:28AM -0400, Joel Savitz wrote: > -There are a lot of kinds of objects in the kernel that don't have > -individual limits or that have limits that are ineffective when a set > -of processes is allowed to switch user ids. With user namespaces > -enabled in a kernel for people who don't trust their users or their > -users programs to play nice this problems becomes more acute. > +The kernel contains many kinds of objects that either don't have > +individual limits or that have limits which are ineffective when > +a set of processes is allowed to switch their UID. On a system > +where there admins don't trust their users or their users' programs, > +user namespaces expose the system to potential misuse of resources. Do you mean "when there are admins who don't trust ..." or "where admins don't trust ..."? Confused... -- An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature
