logoalt Hacker News

progvaltoday at 11:20 AM1 replyview on HN

Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.


Replies

reactordevtoday at 11:32 AM

yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /