[lxc-devel] usernsselfmap

Eric W. Biederman ebiederm at xmission.com
Thu Mar 7 02:44:26 UTC 2013


Kees Cook <keescook at chromium.org> writes:

> On Wed, Mar 6, 2013 at 2:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> just to help play with user namespaces some more I pushed a C version
>> of Eric's script for completely unprivileged use of user namespaces to
>> https://code.launchpad.net/~serge-hallyn/+junk/nsexec and to the
>> nsexec package in ppa:serge-hallyn/userns-natty.  Appending the code
>> below as well.  The point is:  you unshare a new user namespace, and
>> in there you map uid 0 to your host uid, then start a shell.  This
>> requires zero setup on the host (so the shadow package updates to define
>> per-user subuids are not needed for these games).  From that shell you
>> can unshare mounts, network, uts namespace, etc, and basically be root
>> in your fake little domain.
>>
>> It's fun.  I just './usernsselfmap', and I can pretend I'm root.
>
> Yeah, cool. I updated my tools based on the example too. It looks like
> I was losing a race, so adding the pipe sync solved my issues. Also, I
> think you can only map a range of 1.
>
>> BTW, Eric, where the heck does one find the latest version of
>> util-linux?  Latest I could find did not yet know about userns.
>> (Once that lands in ubuntu I can drop my nsexec altogether, as well
>> as lxc-unshare)
>
> AFAICT, it hasn't been released yet. It was only in vcs. I had to go
> find libuser too. :)

git://git.kernel.org/pub/scm/utils/util-linux/util-linux

> I wish there was a cleaner way to do this kind of IPC lock-step. It's
> such a common pattern, and it's so unreadable. :)

For what it's worth.  If you are going to do a combined binary, and you
are just going to worry about yourself.  You don't have to fork to
write /proc/self/uid_map with 0 $old_uid 1.

I had originally hoped to do an upcall to validate other writes to
/proc/self/uid_map but code was never solid and I went with what works
now.

Eric





More information about the lxc-devel mailing list