On Mon, 16 Jun 2026, Miklos Szeredi <[email protected]> wrote: > Sounds really easy to trick: start the server in the initial user ns, > then clone the mounter with a new user/mount namespace. The > init_user_ns test will pass happily, since the server is running in > the initial namespace.
Ah, the intention was to limit sync to sufficiently privileged FUSE setups. I missed that the initial user namespace is not equivalent to elevated permissions. I am thinking instead it would make sense to assert that the opener of /dev/fuse has CAP_SYS_ADMIN in the initial user namespace. They could then hand off the fd to a less privileged server, but that is the prerogative of that privileged user, so I think it satisfies the spirit of the DoS prevention requirement. I will follow up shortly with a new version. Thank you! Jimmy
