On 14.02.2018 13:53, Richard Weinberger wrote:

It does what you ask it for. > Also see the --setgroups switch.> AFAICT --setgroups=deny is the new
default, then your command line should just> work. Maybe your unshare tool is too old.
Also doesn't help:

daemon@alphabox:~ unshare -U -r --setgroups=deny
unshare: can't open '/proc/self/setgroups': Permission denied

What I'd like to achieve is that processes can manipulate their private >> namespace at will and mount other filesystems (primarily 9p and
fuse).>>>> For that, I need to get rid of setuid (and per-file caps) for these>> private namespaces.>
This is exactly why we have the user namespace.
In the user namespace you can create your own mount namespace and do (almost)
whatever you want.

What's the exact relation between user and mnt namespace ?
Why do I need an own user ns for private mnt ns ? (except for the suid
bit, which I wanna get rid of anyways).


Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
i...@metux.net -- +49-151-27565287

Reply via email to