From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de)
Date: Sat 11 Oct 2003 - 03:40:22 BST
riel_at_surriel.com (Rik van Riel) writes:
>> * CLONE_NEWNS + pivot_root are requiring CAP_SYS_ADMIN (which
>> is not acceptably for vservers); using a new capability for
>> CLONE_NEWNS seems to be possible, but pivot_root(2) needs
>> additional logic. Else, when executed in root-namespace,
>> pivot_root(2) can do really bad things with your system.
> Why pivot_root(2) instead of mount --recbind ?
I can not bind another directory to /dev/root (e.g. after 'mount
--bind <chroot> /' I have still the old root-directory). To make
secure vserver-chroots I would do
... CLONE_NEWNS ...
# mount [--bind] <chroot> /vservers/<xxx>
# cd /vservers/<xxx>
# pivot_root . old_root
# exec chroot . sh -c "umount old_root; exec /sbin/init" </dev/null >/dev/null
[from pivot_root(8) manpage]
Because of security reason, the last actions should be done in a native
binary which is copied from old_root into a newly created tmpfs