> > why do you think that the lack of a super user make per-process namespaces > > work? > > The fact that you own the hardware you are running on means there's no > need to provide enhanced priv's (such as root) to protect things like > mount(2).
that's a property of per-process namespaces, not the lack of a root user. in this sense plan 9 has a limited root—the hostowner that owns the devices on a machine and is trusted wrt the authentication protocol. > And if you do something stupid, the only damage you can do is > to yourself. Just look at all the hoops FUSE must jump through to keep > people from being able to bodge the entire system. for some reason, the linux guys have convinced themselves that per process namespaces can't be done without security problems. i see no reason that pam couldn't do plan 9 style authentication with a process running on behalf of root with its own namespace. they've changed everything else in unix, why hold so tightly to the clearly unhelpful ideas? - erik
