[systemd-devel] Users and system namespaces

[Lennart Poettering]

On Thu, 23.01.14 13:54, Ben Boeckel (mathstuf at gmail.com) wrote:

> Hi,
> 
> As I mused on LWN[1] recently, I was wondering whether it was possible
> to have user units be able to hook into namespaces (namely the
> PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other
> namespacing options are added in the future).

WHat to you mean by "user units"? THose run off an unprivileged "systemd
--user" instance? Or those run off PID 1 but with User= set?

Note that the whole namespacing thing is only available from systemd
instances that themesleves are privileged, i.e. only from PID 1...

>   - ability for a system service to expose what namespace it just
>     created (to avoid the set-environment hackery above);
>   - a directive to list users and groups allowed to enter into
>     namespaces created in a unit (something like
>     "ExposeNamespaceToUsers=group:vpn,wheel" maybe?); and
>   - a way for a systemd --user to get namespace file descriptors from
>     PID 1.

The privileges thing is quite limiting. Joining namespces from
unprivileged code is hard... You need some kind of setuid binary
transition there, but I wouldn't see how you would make that
happen... And the complexity gives me headaches...

Lennart

-- 
Lennart Poettering, Red Hat