perjantai, 5. joulukuuta 2025, klo 10.20 (+02:00), Andrei Borzenkov kirjoitti:
> On Thu, Dec 4, 2025 at 10:24 PM Jyrki Vesterinen <[email protected]> wrote: > > > > Mounting was pretty much the primary use case I had hoped to use the > > --empower mode for (since my regular user would own the mount point > > afterwards, saving me from running chown by hand). > > What makes you think so? That it is the regular user account performing the mount operation? "The user who performed the mount owns the mount point" makes sense to me. (It's fine if I was mistaken. I'll just continue to use run0 in regular mode like before.) > > > > > The same thing would presumably happen with most SUID binaries. Sure, raw > > syscalls to perform all kinds of operations would succeed, but SUID > > programs will refuse to work. As a result, --empower isn't very usable in > > practice with current-day distros. > > > > Are there any plans to address this? > > The only way to address it from the run0 side is to enter a user > namespace where the invoking user has UID 0. Otherwise it is really up > to the invoked command to check for capabilities, not for UID 0. > Well, instead of run0 side, I was thinking of possibilities like "contacting util-linux developers and asking them to add such capability checks" or "systemd providing its own variants of common SUID commands". -- Best regards, Jyrki Vesterinen
