Received: by 10.223.185.116 with SMTP id b49csp643760wrg; Wed, 14 Feb 2018 04:53:25 -0800 (PST) X-Google-Smtp-Source: AH8x227tJiZ/EZvxSSM9ib91wyYpUzeY+vjYj1xdochLIdpMwtau9+ElD1l77FkALker6rRJOvAO X-Received: by 2002:a17:902:5a0d:: with SMTP id q13-v6mr1565102pli.152.1518612805407; Wed, 14 Feb 2018 04:53:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518612805; cv=none; d=google.com; s=arc-20160816; b=SZf0tCdesS47y5x3NYpVcX6jrOixsFAqESwE7HxP6ug/pO76AcZIYEcbtFrto9h+E6 Djqnwe6sQ81JIQRl3GQjebi8TmaCfPKZIwb/7SQ++T0wDe5NrtIE8/Zl5H6jq8KfSY62 k6MHuLcap9HLIBzb5FbiMmUjUTnl+LdMKjBLvwNqtUFFKpr0L4OmufIJkywZ1p3zutVp lL5c/HSGGPEYjEsqMmd0pDdup0Z7GYGNbhmMM0fTeuD7G/hh/tWAoMTuQ3MgDGQ3uHNZ xuheJiF6+ccPE/9Upkc4Ypetgqfbv+0g5tAOEv01o/e+Or1TiWNCBhTJukymv825gFut l7JQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=xFxsulYOYYrEvsP5mexPADfs0akGVSdt6FUU0TAv7eE=; b=rwOfX7dJyF7v0geyPTN4XqLsddp3KvyERWA4W48393W+dNDnJbkVeSXscMFW1XIA4g tM/qTZarbLMTzD92MBQqk75R16CcWE0aId+PYcBM3ItXSQimdZdAdN2z8CP4eX1CTeqN 0Zh23DB3LrwkLoJXi4BsiS6LTkTF7B2FJUWym4iv+yXgbsOah+zefbwiIinjfYD1/Vt/ jnL3iMC97ou4G193dI67jLVtLWJiR903cKFWcbyM0xSw+HsSZhMeSXSj7G1RL9omgLDT nu9Z/UUjmB7avkqIkTUMLRxsomP9sYnno9/QLLxSBg//iNsLfA9yjV6pUHX+fnx0igkQ Wteg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 14-v6si1146611plb.444.2018.02.14.04.53.10; Wed, 14 Feb 2018 04:53:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967718AbeBNMw1 (ORCPT + 99 others); Wed, 14 Feb 2018 07:52:27 -0500 Received: from lilium.sigma-star.at ([109.75.188.150]:49884 "EHLO lilium.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967589AbeBNMw0 (ORCPT ); Wed, 14 Feb 2018 07:52:26 -0500 Received: from localhost (localhost [127.0.0.1]) by lilium.sigma-star.at (Postfix) with ESMTP id 405D318191EA0; Wed, 14 Feb 2018 13:52:25 +0100 (CET) From: Richard Weinberger To: Enrico Weigelt , Aleksa Sarai Cc: Linux Containers , "linux-kernel@vger.kernel.org" Subject: Re: plan9 semantics on Linux - mount namespaces Date: Wed, 14 Feb 2018 13:53:40 +0100 Message-ID: <2658681.ustYaP9yci@blindfold> In-Reply-To: <4864d279-9a3f-eaf4-c297-ea34be604e41@metux.net> References: <0f058286-a432-379b-f559-f2fe713807ab@metux.net> <4864d279-9a3f-eaf4-c297-ea34be604e41@metux.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Enrico, Am Mittwoch, 14. Februar 2018, 13:38:48 CET schrieb Enrico Weigelt: > On 14.02.2018 12:30, Richard Weinberger wrote: > > On Wed, Feb 14, 2018 at 12:27 PM, Enrico Weigelt wrote: > >> On 14.02.2018 11:24, Aleksa Sarai wrote: > >>> What distribution are you using and which release? > >> > >> On a self-compiled system. > >> > >> Forgot to enable namespaces in the kernel. Now it seems to work > >> as root, but not as an unprivileged user: > >> > >> > >> daemon@alphabox:~ unshare -r -U > >> unshare: can't open '/proc/self/setgroups': Permission denied > >> daemon@alphabox:~ unshare -f -r -U > >> unshare: can't open '/proc/self/setgroups': Permission denied > > > > Please read http://man7.org/linux/man-pages/man7/user_namespaces.7.html > > setgroups is a corner case and needs special care. > > I'm still confused. Does the unshare program do something wrong here ? It does what you ask it for. Also see the --setgroups switch. AFAICT --setgroups=deny is the new default, then your command line should just work. Maybe your unshare tool is too old. > Anyways, I doubt that user namespaces help solving my problem. > > What I'd like to achieve is that processes can manipulate their private > namespace at will and mount other filesystems (primarily 9p and fuse). > > For that, I need to get rid of setuid (and per-file caps) for these > private namespaces. This is exactly why we have the user namespace. In the user namespace you can create your own mount namespace and do (almost) whatever you want. Please note that you cannot mount any kind of filesystem. For FUSE, see https://lwn.net/Articles/684774/ Thanks, //richard -- sigma star gmbh - Eduard-Bodem-Gasse 6 - 6020 Innsbruck - Austria ATU66964118 - FN 374287y