sf...@users.sourceforge.net: > Bhushan Jain: > > Attached is a sample code that creates a user namespace and maps the un-pri= > > vileged user to root within the namespace.=0A= > > The user namespace can be used for sandboxing. Having aufs support within t= > > he user namespace can help create a chroot environment where multiple direc= > > tories are united into a single filesystem.=0A= > > Thanks for the sample code. > Personally, user-ns is not attractive for me, at the same time I don't > have strong objection. So I will merge your patch.
Intrestingly, very similar discussion happened on LKML. See this and its thread. Date: Tue, 16 Jul 2013 14:29:20 -0500 From: Serge Hallyn <serge.hal...@ubuntu.com> Subject: [PATCH RFC] allow some kernel filesystems to be mounted in a user namespace The patch sets FS_USERNS_MOUNT for debugfs, fuse and securityfs. But at the end of the thread, he wrote Right so the specific problem this patch introduces is: An admin who is using a distro kernel with these filesystems enabled but not mounted, without this patch does not have to worry about unprivileged users being able to access the fs. With this patch, he does. Thanks everyone, I withdraw this patch. If such problem really exists, it might be better for aufs NOT to set FS_USERNS_MOUNT I suppose. J. R. Okajima ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk