Received: by 10.223.185.116 with SMTP id b49csp643760wrg;
        Wed, 14 Feb 2018 04:53:25 -0800 (PST)
X-Google-Smtp-Source: AH8x227tJiZ/EZvxSSM9ib91wyYpUzeY+vjYj1xdochLIdpMwtau9+ElD1l77FkALker6rRJOvAO
X-Received: by 2002:a17:902:5a0d:: with SMTP id q13-v6mr1565102pli.152.1518612805407;
        Wed, 14 Feb 2018 04:53:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518612805; cv=none;
        d=google.com; s=arc-20160816;
        b=SZf0tCdesS47y5x3NYpVcX6jrOixsFAqESwE7HxP6ug/pO76AcZIYEcbtFrto9h+E6
         Djqnwe6sQ81JIQRl3GQjebi8TmaCfPKZIwb/7SQ++T0wDe5NrtIE8/Zl5H6jq8KfSY62
         k6MHuLcap9HLIBzb5FbiMmUjUTnl+LdMKjBLvwNqtUFFKpr0L4OmufIJkywZ1p3zutVp
         lL5c/HSGGPEYjEsqMmd0pDdup0Z7GYGNbhmMM0fTeuD7G/hh/tWAoMTuQ3MgDGQ3uHNZ
         xuheJiF6+ccPE/9Upkc4Ypetgqfbv+0g5tAOEv01o/e+Or1TiWNCBhTJukymv825gFut
         l7JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=xFxsulYOYYrEvsP5mexPADfs0akGVSdt6FUU0TAv7eE=;
        b=rwOfX7dJyF7v0geyPTN4XqLsddp3KvyERWA4W48393W+dNDnJbkVeSXscMFW1XIA4g
         tM/qTZarbLMTzD92MBQqk75R16CcWE0aId+PYcBM3ItXSQimdZdAdN2z8CP4eX1CTeqN
         0Zh23DB3LrwkLoJXi4BsiS6LTkTF7B2FJUWym4iv+yXgbsOah+zefbwiIinjfYD1/Vt/
         jnL3iMC97ou4G193dI67jLVtLWJiR903cKFWcbyM0xSw+HsSZhMeSXSj7G1RL9omgLDT
         nu9Z/UUjmB7avkqIkTUMLRxsomP9sYnno9/QLLxSBg//iNsLfA9yjV6pUHX+fnx0igkQ
         Wteg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 14-v6si1146611plb.444.2018.02.14.04.53.10;
        Wed, 14 Feb 2018 04:53:25 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S967718AbeBNMw1 (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Wed, 14 Feb 2018 07:52:27 -0500
Received: from lilium.sigma-star.at ([109.75.188.150]:49884 "EHLO
        lilium.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S967589AbeBNMw0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Feb 2018 07:52:26 -0500
Received: from localhost (localhost [127.0.0.1])
        by lilium.sigma-star.at (Postfix) with ESMTP id 405D318191EA0;
        Wed, 14 Feb 2018 13:52:25 +0100 (CET)
From:   Richard Weinberger <richard@sigma-star.at>
To:     Enrico Weigelt <lkml@metux.net>, Aleksa Sarai <asarai@suse.de>
Cc:     Linux Containers <containers@lists.linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: plan9 semantics on Linux - mount namespaces
Date:   Wed, 14 Feb 2018 13:53:40 +0100
Message-ID: <2658681.ustYaP9yci@blindfold>
In-Reply-To: <4864d279-9a3f-eaf4-c297-ea34be604e41@metux.net>
References: <0f058286-a432-379b-f559-f2fe713807ab@metux.net> <CAFLxGvzxLP_UTQbwEY99bQfyftWzZHwaOP+WrzJ8099EKtbVLg@mail.gmail.com> <4864d279-9a3f-eaf4-c297-ea34be604e41@metux.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Enrico,

Am Mittwoch, 14. Februar 2018, 13:38:48 CET schrieb Enrico Weigelt:
> On 14.02.2018 12:30, Richard Weinberger wrote:
> > On Wed, Feb 14, 2018 at 12:27 PM, Enrico Weigelt <lkml@metux.net> wrote:
> >> On 14.02.2018 11:24, Aleksa Sarai wrote:
> >>> What distribution are you using and which release?
> >> 
> >> On a self-compiled system.
> >> 
> >> Forgot to enable namespaces in the kernel. Now it seems to work
> >> as root, but not as an unprivileged user:
> >> 
> >> 
> >> daemon@alphabox:~ unshare -r -U
> >> unshare: can't open '/proc/self/setgroups': Permission denied
> >> daemon@alphabox:~ unshare -f -r -U
> >> unshare: can't open '/proc/self/setgroups': Permission denied
> > 
> > Please read http://man7.org/linux/man-pages/man7/user_namespaces.7.html
> > setgroups is a corner case and needs special care.
> 
> I'm still confused. Does the unshare program do something wrong here ?

It does what you ask it for.
Also see the --setgroups switch.
AFAICT --setgroups=deny is the new default, then your command line should just 
work. Maybe your unshare tool is too old.

> Anyways, I doubt that user namespaces help solving my problem.
> 
> What I'd like to achieve is that processes can manipulate their private
> namespace at will and mount other filesystems (primarily 9p and fuse).
> 
> For that, I need to get rid of setuid (and per-file caps) for these
> private namespaces.

This is exactly why we have the user namespace.
In the user namespace you can create your own mount namespace and do (almost) 
whatever you want.
Please note that you cannot mount any kind of filesystem.
For FUSE, see https://lwn.net/Articles/684774/

Thanks,
//richard

-- 
sigma star gmbh - Eduard-Bodem-Gasse 6 - 6020 Innsbruck - Austria
ATU66964118 - FN 374287y