On 14.02.2018 13:53, Richard Weinberger wrote:
It does what you ask it for. > Also see the --setgroups switch.> AFAICT --setgroups=deny is the new
default, then your command line should just> work. Maybe your unshare
tool is too old.
Also doesn't help:
daemon@alphabox:~ unshare -U -r --setgroups=deny
unshare: can't open '/proc/self/setgroups': Permission denied
What I'd like to achieve is that processes can manipulate their private >> namespace at will and mount other filesystems (primarily 9p and
fuse).>>>> For that, I need to get rid of setuid (and per-file caps) for
these>> private namespaces.>
This is exactly why we have the user namespace.
In the user namespace you can create your own mount namespace and do (almost)
whatever you want.
What's the exact relation between user and mnt namespace ?
Why do I need an own user ns for private mnt ns ? (except for the suid
bit, which I wanna get rid of anyways).
--mtx
--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
