GSoC Idea: per-process filesystem namespaces for FreeBSD

Bakul Shah bakul at
Tue Mar 13 22:34:06 UTC 2018

On Tue, 13 Mar 2018 15:43:08 -0600 Warner Losh <imp at> wrote:
Warner Losh writes:
> On Tue, Mar 13, 2018 at 1:55 PM, Kristoffer Eriksson <ske at> wrote:
> >
> > On 13 Mar 2018 12:53:18, Theron <theron.tarigo at> wrote:
> > > For those unfamiliar with Plan9, here is a rough explanation of the
> > > namespace feature: unlike in Unix, where all processes share the same
> > > virtual filesystem, each process instead has its own view of the
> > > filesystem according to what has been mounted ...
> >
> > What if I mount a new /etc with a passwd file where root has no
> > password, and then run "su"?
> >
> > (How does Plan9 handle that?)
> >
> Plan9 handles that by having a daemon that does user authentication. It's
> actually more complicated than that, but the machine owner has control over
> who can do what. For this to work in FreeBSD, either we'd need to disallow
> the 'file' type for passwd, or we'd have to do something sensible with
> setuid programs. Well, maybe not 'or' but 'and' since the security of
> setuid programs depends on the security of the filesystem.... Plan 9
> doesn't have these complications, so it can offer a user malleable
> filesystem without security risk.

Plan9 has no root (superuser) or setuid.  You can mangle
anything in your namespace but it affects only *your* own
process and its future descendents.

The following paper on Plan9 authentication in Linux may be
worth reading:

While I have wanted per-process namespace in BSD for a long
time, I agree with Konstantin this is a non-trivial project.
Even if the design was fully fleshed out, implementing it
would likely take longer than 12 weeks.

More information about the freebsd-hackers mailing list