Mike Frysinger wrote on 11/15/2015 01:42 PM:
On 15 Nov 2015 13:06, U.Mutlu wrote:
Mike Frysinger wrote on 11/15/2015 07:28 AM:
On 15 Nov 2015 03:10, U.Mutlu wrote:
Mike Frysinger wrote on 11/15/2015 02:24 AM:
On 15 Nov 2015 01:49, U.Mutlu wrote:
So, then the question remains: how to give non-root user a secure mount
no, it doesn't. at least two people have already told you how to do it:
use the usernamespace (-U) option that unshare already supports.
It's not yet clear for me how to use that. Can you give an example?
unshare -U /bin/bash
the unshare(1) man page already includes an example:
$ unshare --map-root-user --user sh -c whoami
root
No, firstly there is no such example in man unshare, secondly it doesn't do here:
$ unshare --map-root-user --user sh -c whoami
unshare: unshare failed: Operation not permitted
Is there maybe a bug in the Debian version?
complain to Debian. iirc, they break their kernels on purpose by adding
non-standard caps which disallow userns usage.
Ok, I found out that on Debian one needs to make the follwing entry in
/etc/sysctl.conf:
kernel.unprivileged_userns_clone = 1
and reboot, or do sysctl -p /etc/sysctl.conf, or equivalently
echo 1 > /proc/sys/kernel/unprivileged_userns_clone
Now the above unshare command does work.
And thirdly: is that not even more dangerous to give a user root permission
then? I don't understand this philosophy. Or, where is the trick in this?
you aren't actually root. you'll probably want to read:
https://lwn.net/Articles/532593/
man user_namespaces
Yes, I knew them, but hadn't read throughly :-)
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
