> > One thing that is missing from this series is the ability to restrict > > user mounts to private namespaces. The reason is that private > > namespaces have still not gained the momentum and support needed for > > painless user experience. So such a feature would not yet get enough > > attention and testing. However adding such an optional restriction > > can be done with minimal changes in the future, once private > > namespaces have matured. > > What is the main reason for that feature? Would it be to prevent things > like login from being tricked by user mounts? Isn't it sufficient, in > fact, better, to require that the target of the mount be owned by the > user doing the mount? It's been discussed later in that thread. Basically you can fool a lot of system programs (like backup) with mounting/binding in the global namespace. Restricting the destination doesn't always help. Miklos - To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
