On Sat, Apr 19, 2025 at 10:34 PM Bagas Sanjaya <bagasdotme@xxxxxxxxx> wrote: > > On Sat, Apr 19, 2025 at 11:04:28AM -0400, Joel Savitz wrote: > > -There are a lot of kinds of objects in the kernel that don't have > > -individual limits or that have limits that are ineffective when a set > > -of processes is allowed to switch user ids. With user namespaces > > -enabled in a kernel for people who don't trust their users or their > > -users programs to play nice this problems becomes more acute. > > +The kernel contains many kinds of objects that either don't have > > +individual limits or that have limits which are ineffective when > > +a set of processes is allowed to switch their UID. On a system > > +where there admins don't trust their users or their users' programs, > > +user namespaces expose the system to potential misuse of resources. > > Do you mean "when there are admins who don't trust ..." or "where admins don't > trust ..."? I meant to write "the admins", my bad. > > Confused... > > -- > An old man doll... just what I always wanted! - Clara
