If you enter it first, you lose privilege for subsequent namespace enters,see issue https://github.com/karelzak/util-linux/issues/315 The fix is to enter the user namespace last of all. Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c index d8690db..1525f15 100644 --- a/sys-utils/nsenter.c +++ b/sys-utils/nsenter.c @@ -52,13 +52,13 @@ static struct namespace_file { * first. This gives an unprivileged user the potential to * enter the other namespaces. */ - { .nstype = CLONE_NEWUSER, .name = "ns/user", .fd = -1 }, { .nstype = CLONE_NEWCGROUP,.name = "ns/cgroup", .fd = -1 }, { .nstype = CLONE_NEWIPC, .name = "ns/ipc", .fd = -1 }, { .nstype = CLONE_NEWUTS, .name = "ns/uts", .fd = -1 }, { .nstype = CLONE_NEWNET, .name = "ns/net", .fd = -1 }, { .nstype = CLONE_NEWPID, .name = "ns/pid", .fd = -1 }, { .nstype = CLONE_NEWNS, .name = "ns/mnt", .fd = -1 }, + { .nstype = CLONE_NEWUSER, .name = "ns/user", .fd = -1 }, { .nstype = 0, .name = NULL, .fd = -1 } }; -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
