are nosuid and PR_SET_NO_NEW_PRIVS still needed?

[GodloveD]

Leaving this here for comments, discussion, etc. In the default version of Apptainer we now use the user namespace to enforce privileges. Does it make sense to stop mounting the file system with the nosuid option and stop setting the PR_SET_NO_NEW_PRIVS on the starter process? I understand this gives us a "belt and suspenders" approach to security, but that's not very fashionable. :smile_cat:

Maybe we could allow this to be configurable by the admin?

[DrDaveD]

I note that allowing setuid to work inside of a user namespace might only be helpful when using /etc/sub[ug]id mapping, which apptainer only uses in --fakeroot mode and only when the mappings are previously set up by the system administrator. It isn't helpful in an ordinary unprivileged user namespace where there is only one functioning user id.