"U.Mutlu" <for-gmane@xxxxxxxxxxx> writes: > Karel Zak wrote on 10/30/2015 11:22 AM: >> On Fri, Oct 30, 2015 at 03:09:15AM +0100, U.Mutlu wrote: >>> Hi, >>> I wonder why "unshare -m" doesn't work for an unpriviledged user: >>> >>> $ unshare -m /bin/bash >>> unshare: unshare failed: Operation not permitted >>> $ echo $? >>> 1 >>> $ ls -l `which unshare` >>> -rwxr-xr-x 1 root root 14640 Mar 30 2015 /usr/bin/unshare >>> >>> Funny thing: when making the binary setuid then it works. >>> But I would prefer a working original version in the OS repository. >>> >>> OS: Debian 8 >>> >>> # dpkg -l | grep -i util-linux >>> ii util-linux 2.25.2-6 amd64 >>> Miscellaneous system utilities >>> >>> Is this a bug, or is it not supposed to work for non-root users? >> >> man 2 unshare: >> >> CLONE_NEWNS >> >> This flag has the same effect as the clone(2) CLONE_NEWNS flag. >> Unshare the mount namespace, so that the calling process has a private >> copy of its namespace which is not shared with any other process. >> Specifying this flag automatically implies CLONE_FS as well. Use of >> CLONE_NEWNS requires the CAP_SYS_ADMIN capability. >> ^^^^^^^^^^^^ >> >> .. so yes, it's expected behavior. >> >> Karel > > I would say that the bug lies in the wrong file permissions. > chmod u+s fixes the bug, and I suggest that this should be the default. > Then non-root users can use it too. There is no bug. There are real dangers in creating a new mount namespace as you can fool suid root applications like passwd. You can safely use new mount namespaces after creating a new user namespace, and that does not require any special permissions on unshare. Eric -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
