Re: plan9 semantics on Linux - mount namespaces

From: Enrico Weigelt
Date: Wed Feb 14 2018 - 07:38:58 EST


On 14.02.2018 12:30, Richard Weinberger wrote:
On Wed, Feb 14, 2018 at 12:27 PM, Enrico Weigelt <lkml@xxxxxxxxx> wrote:
On 14.02.2018 11:24, Aleksa Sarai wrote:

What distribution are you using and which release?


On a self-compiled system.

Forgot to enable namespaces in the kernel. Now it seems to work
as root, but not as an unprivileged user:


daemon@alphabox:~ unshare -r -U
unshare: can't open '/proc/self/setgroups': Permission denied
daemon@alphabox:~ unshare -f -r -U
unshare: can't open '/proc/self/setgroups': Permission denied


Please read http://man7.org/linux/man-pages/man7/user_namespaces.7.html
setgroups is a corner case and needs special care.

I'm still confused. Does the unshare program do something wrong here ?

Anyways, I doubt that user namespaces help solving my problem.

What I'd like to achieve is that processes can manipulate their private namespace at will and mount other filesystems (primarily 9p and fuse).

For that, I need to get rid of setuid (and per-file caps) for these
private namespaces.


--mtx

--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287