Absolutely, this is fully achievable on Linux using kernel-level namespace isolation and a few userland tools. You can create per-user mount namespaces that keep root's "real" filesystem intact while giving each regular user their own isolated mount landscape—exactly like you described with UUID-specific views or sandboxed data.

Method 1: PAM Namespace (Automatic Per-User Isolation on Login) #

This is the most seamless approach for a multi-user system, as it automatically spins up a dedicated mount namespace for each user the moment they log in.

• First, install the pam_namespace package (package name varies by distro: libpam-namespace on Debian/Ubuntu, pam_namespace on RHEL/CentOS).
• Edit /etc/security/namespace.conf to define per-user mount rules. Here are two common use cases:
  • Bind-mount a specific partition (by UUID) for the user:

    user1 /home/user1 none bind,uuid=1234-ABCD 0 0
    user2 /home/user2 none bind,uuid=5678-EFGH 0 0
    

  • Sandbox with OverlayFS (read-only base + writable user layer):

    user1 / none overlay lowerdir=/opt/base-system,upperdir=/home/user1/overlay-write,workdir=/home/user1/overlay-work 0 0
    

• Update your PAM session config (e.g., /etc/pam.d/common-session or /etc/pam.d/login) to enable the module:

  session required pam_namespace.so
  

Method 2: Manual Isolation with unshare (Testing/Ad-Hoc Sessions) #

If you want to test the setup or create isolated sessions on-demand, unshare lets you spawn a process in a fresh mount namespace:

1. Launch a shell in a new mount namespace:

   unshare -m bash
   

2. Configure the mounts for this namespace (e.g., mount a UUID and hide restricted directories):

   # Mount the user's dedicated partition
   mount UUID=1234-ABCD /home/user1
   # Make system directories appear empty (instead of permission-denied)
   mount -t tmpfs none /root
   mount -t tmpfs none /var/log
   

3. Switch to the target user to access their isolated view:

   su - user1
   

Critical Considerations #

• Lock Down Capabilities: Regular users must not have access to CAP_SYS_ADMIN—this capability lets users manipulate namespaces, which would let them escape the sandbox.
• Resource Limits: If using dedicated partitions, set up disk quotas to prevent users from filling the disk. For OverlayFS, monitor the size of the writable upper layer to avoid running out of space.
• Seamless User Experience: To hide "unreachable" directories, mount an empty tmpfs or blank bind mount over them in the user's namespace. This makes directories appear empty instead of showing permission errors, keeping the user unaware of the underlying isolation.

With these setups, you can fully sandbox user data, manage per-user dependencies, and keep root's access to the unmodified, real filesystem intact.

内容的提问来源于stack exchange，提问作者gudenau