User namespace
User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys and capabilities.
A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace.
In other words, the process has full privileges for operations inside the user namespace but is unprivileged for operations outside the namespace.
Allows the creation of a process with all capabilities but with an arbitrary UID & GID mapping.
The process keeps the UID and GIDs.
But these need to be mapped to specific values.
No mapping à 65534 (nobody).
The mapping is a per-process, one-time operation.
/proc/[PID]/uid_mapping
Last updated