From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Fri, 7 Sep 2007 16:21:50 -0600 From: "Latchesar Ionkov" To: "Fans of the OS Plan 9 from Bell Labs" <9fans@cse.psu.edu> Subject: Re: [9fans] 1/2 OT: per-process mounts/namespace @ Linux In-Reply-To: <3e1162e60709071426mf4a4ea2kfdb4500fe763b0a9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070907200915.GA20929@nibiru.local> <3e1162e60709071426mf4a4ea2kfdb4500fe763b0a9@mail.gmail.com> Topicbox-Message-UUID: bb2be526-ead2-11e9-9d60-3106f5b1d025 The simple solution would be to disable setuid/setgid flags for private namespaces of users other than root. And then (not so simple) fix programs that don't work :) Lucho On 9/7/07, David Leimbach wrote: > > > On 9/7/07, Eric Van Hensbergen wrote: > > Linux actually has private namespaces, its just off by default. There > > is a flag to clone which can be used to establish new processes in > > private namespaces (CLONENS or some such thng). > > > > Primary downside is that its superuser only -- but you could get > > around it with setuid or custom kernel. > > > > -eric > > > > > > Then you have to worry about what happens when people do things like binding > over /etc/passwd :-) > > > >