make-private-fs 1 user commands nosh make-private-fs populate various private-mount parts of the filesystem make-private-fs --temp --devices --homes --hide directory next-prog make-private-fs is a chain-loading utility that mounts private volumes in various parts of the filesystem namespace and pre-populates them, and then chain loads to next-prog with the execvp3 function. next-prog may contain its own command line options, which make-private-fs will ignore. The parts of the filesystem that are mounted and populated are controlled by command-line options as follows: --temp Empty directories, held below a superuser-only-accessible parent, are mounted at /tmp and /var/tmp. They have rwx permissions for the owner, group, and world; and they have the sticky bit set. --devices A tmpfs filesystem is mounted at /dev, without any real devices in it. It is populated only with "API" devices such as /dev/shm. On Linux, a devpts filesystem is mounted at /dev/pts. On BSD systems, a fdescfs filesystem is mounted at /dev/fd. --homes This is causes empty directories, held below a superuser-only-accessible parent, to be mounted at various user home directories, or collections of user home directories. It is currently equivalent to --hide /home, --hide /run/user, and --hide /root. Pseudo-user home directories such as /var/lib/rabbitmq, /var/lib/qmail, and /var/lib/mysql are not covered by this, as they are not considered to hold an individual real user's private files. --hide directory Empty directories, held below a superuser-only-accessible parent, are mounted at directory. They have rwx permissions for the owner, and no permissions for anyone else. The command will fail if the process is not running under the aegis of the superuser, because most of the internal operations necessary are not permitted to non-superusers. make-private-fs is usually run chain-loaded from unshare1. Beware: Running it without unsharing first will affect the global mount namespace. Jonathan de Boyne Pollard