Happy Man | 19 Dec 00:16 2014

I am happy!

Nuova tariffa Posta Light | 17 Dec 16:01 2014

Sai che puoi spendere il 40% in meno?

Top Partners
Con nuova tariffa POSTA LIGHT affranchi a soli 0,55 Euro a lettera

Disponible con le AFFRANCATRICI NEOPOST in collaborazione con poste

Preventivo GRATUITO:

Questo messaggio viene inviato via LeadsLeader. C a n c e l l a t i dalla
lista: http://toprem.com/link.php?M=8319452&N=4669&L=2&F=T
Arnaud Bahar | 17 Dec 11:05 2014

Vous souhaitez vendre plus au salon Bijorcha?

       This message contains graphics. If you do not see the graphics,
                           [1]click here to view.


   Le salon Bijorcha est très proche, je souhaitais vous joindre pour vous
   présenter une application qui vous aidera à prendre plus de commandes,
   plus importantes sur le salon.

   Pepperi est la #1 app commerciale pour les salons, fournissant aux
   commerciaux un moyen simple et intelligent pour prendre les commandes
   en utilisant leurs tablettes.

   Commencez dès maintenant gratuitement, et soyez opérationnel en à peine
   quelques jours avec:
     * Prise de commande mobile – Fini les écritures manuelles
     * Superbe catalogue -  Impressionnez vos clients!
     * Scan des codes à barres - Scannez directement à partir de votre
     * Mode offline - La connectivité n’est jamais un problème!
     * Apportez votre propre Appareil - Utilisez n’importe quelle tablette

   Plus de 1000 entreprises utilisent Pepperi, incluant Rip Curl,
   Paramount Pictures, Elle Jewelry, Blundstone et Marlox Group. Ainsi,
   vous serez en bonne compagnie !

   [2]Cliquez ici pour essayer Pepperi gratuitement!
   Sincères salutations
(Continue reading)

Eric W. Biederman | 16 Dec 19:09 2014

[GIT PULL] User namespace related fixes


Please pull the for-linus branch from the git tree:

   git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-linus

   HEAD: db86da7cb76f797a1a8b445166a15cb922c6ff85 userns: Unbreak the unprivileged remount tests

This set of changes addresses all of the bugs with user namespaces that
I am aware of except for an unfortunate interaction between unprivileged
MNT_DETACH and MNT_LOCKED which can allow you to see under mount points
if you are clever with your use of MNT_DETACH.

As these are bug fixes almost all of thes changes are marked for
backporting to stable.

The first change (implicitly adding MNT_NODEV on remount) addresses a
regression that was created when security issues with unprivileged 
remount were closed.  I go on to update the remount test to make it
easy to detect if this issue reoccurs.

Then there are a handful of mount and umount related fixes.

Then half of the changes deal with the a recently discovered design bug
in the permission checks of gid_map.  Unix since the beginning has
allowed setting group permissions on files to less than the user and
other permissions (aka ---rwx---rwx).  As the unix permission checks
stop as soon as a group matches, and setgroups allows setting groups
that can not later be dropped, results in a situtation where it is
(Continue reading)

Serge Hallyn | 15 Dec 20:38 2014

Re: [CFT] Can I get some Tested-By's on this series?

Quoting Eric W. Biederman (ebiederm@...):
> Stéphane Graber <stgraber@...> writes:
> > On Fri, Dec 12, 2014 at 03:38:18PM -0600, Eric W. Biederman wrote:
> >> Serge Hallyn <serge.hallyn@...> writes:
> >> 
> >> > Quoting Eric W. Biederman (ebiederm@...):
> >> >> 
> >> >> Will people please test these patches with their container project?
> >> >> 
> >> >> These changes break container userspace (hopefully in a minimal way) if
> >> >> I could have that confirmed by testing I would really appreciate it.  I
> >> >> really don't want to send out a bug fix that accidentally breaks
> >> >> userspace again.
> >> >> 
> >> >> The only issue sort of under discussion is if there is a better name for
> >> >> /proc/≤pid>/setgroups, and the name of the file will not affect the
> >> >> functionality of the patchset.
> >> >> 
> >> >> With the code reviewed and written in simple obviously correct, easily
> >> >> reviewable ways I am hoping/planning to send this to Linus ASAP.
> >> >> 
> >> >> Eric
> >> >
> >> > Is there a git tree we can clone?
> >> 
> >> Have either of you been able to check to see if any of my changes
> >> affects lxc?
> >> 
> >> I am trying to gauge how hard and how fast I should push to Linus.  lxc
(Continue reading)

Eric W. Biederman | 12 Dec 23:32 2014

[PATCH review 00/18] userns: review of bug fixes for 3.19-rcX

The entire tree for testing is available at:
	git.kernel.org:/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing

This is my queue of important bug fixes for user namespaces.  Most of
these changes warrant being backported.  A few are bug fixes for cases
where only root can trigger the issue so have not been marked for being
back ported to stable.

A few of these patches have not been posted for review preivously, so I
a giving the light of mailling list before I send them to Linus.  This
patchset has seen some testing already. 

Since there are small deliberate breakage of userspace in here the more
reviewers/testers the better.

Baring complictions I intend to ask Linus to pull this patchset sometime
early next week.

So far nothing broke on my libvirt-lxc test bed. :-)
Tested with openSUSE 13.2 and libvirt 1.2.9.
Tested-by: Richard Weinberger <richard@...>

Tested on Fedora20 with libvirt 1.2.11, works fine.
Tested-by: Chen Hanxiao <chenhanxiao@...>

Eric W. Biederman (18):
      mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount
      mnt: Update unprivileged remount test
      umount: Disallow unprivileged mount force
(Continue reading)

Chen Hanxiao | 12 Dec 11:02 2014

[RESEND][PATCH] userns: use macro instead of magic number for max userns level

Use macro instead of magic number
for max user namespace level.

Acked-by: Serge E. Hallyn <serge.hallyn@...>

Signed-off-by: Chen Hanxiao <chenhanxiao@...>
 kernel/user_namespace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index aa312b0..5435489 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
 <at>  <at>  -47,6 +47,8  <at>  <at>  static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
 	cred->user_ns = user_ns;

+#define MAX_USER_NS_LEVEL 32
  * Create a new user namespace, deriving the creator from the user in the
  * passed credentials, and replacing that user with the new root user for the
 <at>  <at>  -62,7 +64,7  <at>  <at>  int create_user_ns(struct cred *new)
 	kgid_t group = new->egid;
 	int ret;

-	if (parent_ns->level > 32)
+	if (parent_ns->level > MAX_USER_NS_LEVEL)
 		return -EUSERS;
(Continue reading)

Mail Delivery System | 11 Dec 18:07 2014

Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

    SMTP error from remote mail server after RCPT TO:<celticadanydany.daddario@...>:
    host []: 550 Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <containers@...>
Received: from 94-247-178-107.ispfr.net ([] helo=de384)
	by Lothiriel.Lan2Net.Fr with esmtp (Exim 4.72)
	(envelope-from <containers@...>)
	id 1Xz7Cw-0003kd-JX
	for celticadanydany.daddario@...; Thu, 11 Dec 2014 18:07:19 +0100
Received: from [] by de384 id z1tnYoLNDOOg with SMTP; Thu, 11 Dec 2014 18:07:16 +0100
Date: Thu, 11 Dec 2014 18:07:16 +0100
From: <containers@...>
X-Mailer: The Bat! (v3.5.49.7) Educational
X-Priority: 3 (Normal)
Message-ID: <5424682875.80489247589926 <at> de384>
To: <celticadanydany.daddario@...>
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii 
Content-Transfer-Encoding: 8bit
X-SA-Exim-Mail-From: containers@...
Subject: Information sur le paiement N16202727.
(Continue reading)

Alexander Larsson | 11 Dec 18:36 2014

Limiting access to abstract unix domain sockets

I'm working on using container technology to sandbox desktop
applications, and I've run into an issue with abstract unix domain
sockets. Generally unix domain sockets work fine in a container
situation because they are naturally namespaced via the filesystem

However, abstract socket addresses are global to the *network*
namespace. This means that if you need to share the host network
namespace (typically so you have full ip networking access) you can't
limit access to *any* service that listens to an abstract unix socket.

I don't particularly need to use abstract sockets, so it would be ok to
just disallow its use in the container. I've looked at using seccomp for
this, but it doesn't seem to help here, as it needs to dereference the
socket address to tell if its abstract or not.

Does anyone have any idea how to do this?
postmaster | 10 Dec 15:32 2014

Undeliverable: Details facture 62824371217.

Delivery has failed to these recipients or groups:

The email address you specified couldn't be found or is invalid. It may be due to a bad entry in your Outlook or
Outlook Web App recipient AutoComplete cache. Use the steps below to clear the entry from the cache:

  1.  Click New mail.
  2.  In the To field start typing the recipient's name or email address until the recipient appears in the
drop-down list.
  3.  Use the DOWN ARROW and UP ARROW keys to select the recipient, and then press the DELETE key.

Then resend your message – delete and retype the recipient’s name or e-mail address before sending it.

For more tips to help resolve this issue see DSN 5.1.x Errors in Exchange Online and Office 365<http://go.microsoft.com/fwlink/?LinkId=389363>.

Diagnostic information for administrators:

Generating server: AM3PR07MB242.eurprd07.prod.outlook.com

Remote Server returned '550 5.1.1 RESOLVER.ADR.RecipNotFound; Recipient not found by SMTP address lookup'

Original message headers:

Received: from AMXPR07CA0024.eurprd07.prod.outlook.com ( by
 AM3PR07MB242.eurprd07.prod.outlook.com ( with Microsoft SMTP
 Server (TLS) id; Wed, 10 Dec 2014 14:32:31 +0000
Received: from AM1FFO11FD029.protection.gbl (2a01:111:f400:7e00::152) by
 AMXPR07CA0024.outlook.office365.com (2a01:111:e400:1000::24) with Microsoft
 SMTP Server (TLS) id via Frontend Transport; Wed, 10 Dec 2014
(Continue reading)

Philippe MALSERT | 9 Dec 05:08 2014

Re: Fwd: Details de la dette 78730858.

   Pour Philippe MALSERT et LD Systeme,
   chaque correspondant est important!


   Vous êtes entré en contact avec mon réseau de correspondants
   privilégiés. Pour délivrer votre message et bénéficier de tous les
   avantages offerts aux membres de ma communauté, je vous invite à
   cliquer sur [1]ce lien.

   Vous en remerciant par avance.

   Bien cordialement,

   Philippe MALSERT

   LD Systeme


   Every new contact matters to
   Philippe MALSERT and LD Systeme!


   I woud like to invite you to join my network of trusted contacts.

   Click on [2]this link to ensure the delivery of your message and to
   benefit from all the advantages of being part of my network.
(Continue reading)