On 15 Nov 2015 16:56, U.Mutlu wrote: > Mike Frysinger wrote on 11/15/2015 01:42 PM: > > On 15 Nov 2015 13:06, U.Mutlu wrote: > >> Mike Frysinger wrote on 11/15/2015 07:28 AM: > >>> On 15 Nov 2015 03:10, U.Mutlu wrote: > >>>> Mike Frysinger wrote on 11/15/2015 02:24 AM: > >>>>> On 15 Nov 2015 01:49, U.Mutlu wrote: > >>>>>> So, then the question remains: how to give non-root user a secure mount > >>>>> > >>>>> no, it doesn't. at least two people have already told you how to do it: > >>>>> use the usernamespace (-U) option that unshare already supports. > >>>> > >>>> It's not yet clear for me how to use that. Can you give an example? > >>>> unshare -U /bin/bash > >>> > >>> the unshare(1) man page already includes an example: > >>> $ unshare --map-root-user --user sh -c whoami > >>> root > >> > >> No, firstly there is no such example in man unshare, secondly it doesn't do here: > >> $ unshare --map-root-user --user sh -c whoami > >> unshare: unshare failed: Operation not permitted > >> > >> Is there maybe a bug in the Debian version? > > > > complain to Debian. iirc, they break their kernels on purpose by adding > > non-standard caps which disallow userns usage. > > Ok, I found out that on Debian one needs to make the follwing entry in > /etc/sysctl.conf: > kernel.unprivileged_userns_clone = 1 > and reboot, or do sysctl -p /etc/sysctl.conf, or equivalently > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > Now the above unshare command does work. ah, thanks for the tip ! -mike
Attachment:
signature.asc
Description: Digital signature
