bind mounting namespace inodes for unprivileged users

James Bottomley James.Bottomley at
Wed May 4 13:16:42 UTC 2016

On Wed, 2016-05-04 at 10:44 +0200, Karel Zak wrote:
> On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote:
> > Right at the moment, unprivileged users cannot call mount --bind to
> > create a permanent copy of any of their namespaces.  This is
> > annoying
> > because it means that for entry to long running containers you have
> > to
> > spawn an undying process and use nsenter via the /proc/<pid>/ns
> > files.
> Well, unshare is able to create permanent namespaces and the bind
> mounts and nsenter is able to follow these files, but you need root
> permissions to create this stuff.
>  touch /home/kzak/ns
>  sudo unshare --uts=/home/kzak/ns
>  <exit namespace>
>  sudo nsenter --uts=/home/kzak/ns
> it means you really do not need any process in the namespace.

Yes, I do this when I'm root.

> Not sure about unprivileged users, it always sounds like a game with
> Pandora's box ;-)

But that's currently my specific problem: binding a container when I'm
an unprivileged user.  I was thinking of persuading mount to do it, but
unshare could as well, provided it's setuid root.  I'm leery of
proliferating setuid root binaries, which is why I was looking at
mount, but I could easily (more easily than mount) make unshare do it
if that's preferred.


More information about the Containers mailing list