User namespace

User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys and capabilities.

A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace.

In other words, the process has full privileges for operations inside the user namespace but is unprivileged for operations outside the namespace.

Allows the creation of a process with all capabilities but with an arbitrary UID & GID mapping.

• The process keeps the UID and GIDs.

• But these need to be mapped to specific values.

• No mapping à 65534 (nobody).

The mapping is a per-process, one-time operation.

• /proc/[PID]/uid_mapping