[Dev] User ID allocation

Piotr Bartosiewicz p.bartosiewi at partner.samsung.com
Mon May 26 08:55:01 GMT 2014


On 23.05.2014 18:23, Thiago Macieira wrote:
> Em sex 23 maio 2014, às 10:16:31, Piotr Bartosiewicz escreveu:
>> And the second example where we want the ID to be statically reserved:
>> We want the root (userID=0) inside container to be mapped to the user ID=Z
>> in the host. We can't afford to chown almost every file in the
>> containers tizen
>> system to the newly created user on the host - it takes too long. If we
>> would
>> know the userID while creating the containers image then no action would be
>> needed while installing this container.
> I'm sorry, I'm not following you. I guess the problem is that I am not
> familiar with the containers solution -- what it does, how it does it, what it
> requires. You're referencing knowledge I don't have.
We've made a wiki page:
https://wiki.tizen.org/wiki/Security:Containers

>
> >From my point of view, you're also contradicting yourself. At first, you want a
> 1-to-1 mapping of UIDs, but then you want to map UID to something different
> (zero and non-zero). I'm sure I'm missing something.

For a security reasons we want to ensure that UIDs from container won't
be used in host, so we have to map them (it is done by shifting the ranges
of UIDs). But there will be one exception for the UID used for dbus access
(it will be shifted by 0) but we ensure it won't be used in the host for the
other purposes.

>
> Let me try this: are you saying people will download something that installs
> on device with UID different from theirs and different from root's? That is, you
> need to know what UID it will be in order to create the package?
I don't know the final solution how containers will be installed.
At this moment we have some proof of concept scripts:
The first one creates three complete Tizen images: minimal host image,
and two containers images, where the latter are merged (and transformed
according to the UID policy) into the host image.
The other one takes the users Tizen image and migrate it into the containers
solution using precreated host.img and business.img.


-- 
Piotr Bartosiewicz
Samsung R&D Institute Poland
Samsung Electronics



More information about the Dev mailing list