On Thu, Mar 18, 2021 at 07:07:00PM +0200, Amir Goldstein wrote: > > > That may change when systemd home dirs feature starts to use idmapped > > > mounts. Being able to watch the user's entire home directory is a big > > > win already. > > > > Do you mean that home directory would be an extra mount with userns in > > which the user has CAP_SYS_ADMIN so he'd be able to watch subtrees on that > > mount? > > > > That is what I meant. > My understanding of the systemd-homed use case for idmapped mounts is > that the user has CAP_SYS_ADMIN is the mapped userns, but I may be wrong. systemd can simply create a new userns with the uid/gid of the target user effectively delegating it (That's independent of actually writing a uid gid mapping for the userns which will be done with privileges.) and then attach it to that mount for the user. Mine and Lennart's idea there so far has been that the creation would likely be done by the user's session at login time brauner 1346 0.0 0.0 20956 8512 ? Ss Mar03 0:03 /lib/systemd/systemd --user and systemd as root would then take care of writing the mapping to the userns and then attaching it to the mount. (I'll see Lennart in the next few days and see what works best and once we're ready start a discussion somwhere on a public list, I would suggest.) (If systemd doesn't want a user to be able to monitor a mnt it can simply create a userns with a different uid/gid but with the relevant mapping. This was what my earlier point was about "blocking a user from creating a subtree watch".) Christian