Gregory's Server
@swick yes, and that's a *feature* not a bug. If you acquire privs you want the guarantee that noone fucks around with your mounts and overmounts/replaces stuff that they shouldn't be able to.
That's *precisely* what I mean with clean context: if you use run0 you get a guaranteed clean execution context, with all such inherited namespace or whatnot shenanigans gone for good.
@pid_eins the point is that sometimes you need that context. If I'm in a toolbox sudo has to allow me to get things done in the context of the toolbox and not of the system root. I. principle I agree with you about suid, I just don't see how you can get rid of it with containers.