[lxc-devel] usernsselfmap

Kees Cook keescook at chromium.org
Wed Mar 6 22:41:48 UTC 2013


On Wed, Mar 6, 2013 at 2:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> just to help play with user namespaces some more I pushed a C version
> of Eric's script for completely unprivileged use of user namespaces to
> https://code.launchpad.net/~serge-hallyn/+junk/nsexec and to the
> nsexec package in ppa:serge-hallyn/userns-natty.  Appending the code
> below as well.  The point is:  you unshare a new user namespace, and
> in there you map uid 0 to your host uid, then start a shell.  This
> requires zero setup on the host (so the shadow package updates to define
> per-user subuids are not needed for these games).  From that shell you
> can unshare mounts, network, uts namespace, etc, and basically be root
> in your fake little domain.
>
> It's fun.  I just './usernsselfmap', and I can pretend I'm root.

Yeah, cool. I updated my tools based on the example too. It looks like
I was losing a race, so adding the pipe sync solved my issues. Also, I
think you can only map a range of 1.

> BTW, Eric, where the heck does one find the latest version of
> util-linux?  Latest I could find did not yet know about userns.
> (Once that lands in ubuntu I can drop my nsexec altogether, as well
> as lxc-unshare)

AFAICT, it hasn't been released yet. It was only in vcs. I had to go
find libuser too. :)

>
> Anyway, enjoy!

Thanks!

I wish there was a cleaner way to do this kind of IPC lock-step. It's
such a common pattern, and it's so unreadable. :)

-Kees

-- 
Kees Cook
Chrome OS Security




More information about the lxc-devel mailing list