Namespaces in operation, part 5: User namespaces
[Development] Posted Feb 27, 2013 18:51 UTC (Wed) by mkerrisk
Continuing our ongoing series on namespaces, this
article looks more closely at user namespaces, a feature whose
implementation was (largely) completed in Linux 3.8.
User namespaces allow per-namespace mappings
of user and group IDs. This means that a process's user and group IDs
inside a user namespace can be different from its IDs outside of the
namespace. Most notably, a process can have a nonzero user ID outside a
namespace while at the same time having a user ID of zero inside the
namespace; in other words, the process is unprivileged for operations
outside the user namespace but has root privileges inside the namespace.
Full Story (comments: 16)