Your message dated Thu, 4 Jun 2026 13:19:46 +0200 with message-id <[email protected]> and subject line Re: Bug#1134639: nsenter -t 1 -m escapes mount and pid namespaces has caused the Debian Bug report #1134639, regarding nsenter -t 1 -m escapes mount and pid namespaces to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1134639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134639 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: util-linux Version: 2.42-4 I observed this ina simple test setup, with on ordinary filesystem built with {debootstrap --variant=minbase sid FS ...} First: {unshare -m -p -f chroot FS} will change root into that filesystem with unshared mount and pid namespaces. Next: {mount -t proc proc /proc} will mount the procfs for that pid namespace. We see with {ls -l /proc/1/ns/mnt} the identity of the unshared mount namespace, which is different from the identity before chroot. But: {nsenter -t 1 -m -- ls -l /proc/1/ns/mnt} shows the identity of the host mount namespace -- the outer namespace. Thus {nsenter -t 1 -m} "escapes" from the unshared namespace to the containing namespace. And for example: {nsenter -t 1 -m /bin/sh} starts a shell in the outer mount and pid namespace(s)! This seems to be a severe bug. Apparently {nsenter -t 1 -m} finds pid 1 in the outer namespace rather than in the call pid namespace. Ralph.
--- End Message ---
--- Begin Message ---On Thu, Jun 04, 2026 at 08:15:35PM +1000, Ralph Ronnquist wrote: > On Thu, Jun 04, 2026 at 04:03:44AM +0000, Christian Albrecht Goeschel > Ndjomouo wrote: > I will need a couple of sleeps before I fully grasp that "absolute > root" notion. However the recepie you outline does bring the desired > effect of eliminating that namespace eascape for me. Seems like upstream gave a good explanation. I'll close the Debian bug then :-) Best, Chris
--- End Message ---
