The simple solution would be to disable setuid/setgid flags for private namespaces of users other than root. And then (not so simple) fix programs that don't work :)
Lucho On 9/7/07, David Leimbach <[EMAIL PROTECTED]> wrote: > > > On 9/7/07, Eric Van Hensbergen <[EMAIL PROTECTED]> wrote: > > Linux actually has private namespaces, its just off by default. There > > is a flag to clone which can be used to establish new processes in > > private namespaces (CLONENS or some such thng). > > > > Primary downside is that its superuser only -- but you could get > > around it with setuid or custom kernel. > > > > -eric > > > > > > Then you have to worry about what happens when people do things like binding > over /etc/passwd :-) > > > >
