From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <f158dc670709071521o5e82e3f0ia0191671c8b96edd@mail.gmail.com>
Date: Fri,  7 Sep 2007 16:21:50 -0600
From: "Latchesar Ionkov" <lucho@gmx.net>
To: "Fans of the OS Plan 9 from Bell Labs" <9fans@cse.psu.edu>
Subject: Re: [9fans] 1/2 OT: per-process mounts/namespace @ Linux
In-Reply-To: <3e1162e60709071426mf4a4ea2kfdb4500fe763b0a9@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070907200915.GA20929@nibiru.local>
	<a4e6962a0709071315j2e578c02m6be1f55d2b779e5c@mail.gmail.com>
	<3e1162e60709071426mf4a4ea2kfdb4500fe763b0a9@mail.gmail.com>
Topicbox-Message-UUID: bb2be526-ead2-11e9-9d60-3106f5b1d025

The simple solution would be to disable setuid/setgid flags for
private namespaces of users other than root. And then (not so simple)
fix programs
that don't work :)

   Lucho


On 9/7/07, David Leimbach <leimy2k@gmail.com> wrote:
>
>
> On 9/7/07, Eric Van Hensbergen <ericvh@gmail.com> wrote:
> > Linux actually has private namespaces, its just off by default.  There
> > is a flag to clone which can be used to establish new processes in
> > private namespaces (CLONENS or some such thng).
> >
> > Primary downside is that its superuser only -- but you could get
> > around it with setuid or custom kernel.
> >
> >              -eric
> >
> >
>
> Then you have to worry about what happens when people do things like binding
> over /etc/passwd :-)
>
>
>
>