Kees Cook <keesc...@chromium.org> writes: > On Wed, Mar 6, 2013 at 2:25 PM, Serge Hallyn <serge.hal...@ubuntu.com> wrote: >> just to help play with user namespaces some more I pushed a C version >> of Eric's script for completely unprivileged use of user namespaces to >> https://code.launchpad.net/~serge-hallyn/+junk/nsexec and to the >> nsexec package in ppa:serge-hallyn/userns-natty. Appending the code >> below as well. The point is: you unshare a new user namespace, and >> in there you map uid 0 to your host uid, then start a shell. This >> requires zero setup on the host (so the shadow package updates to define >> per-user subuids are not needed for these games). From that shell you >> can unshare mounts, network, uts namespace, etc, and basically be root >> in your fake little domain. >> >> It's fun. I just './usernsselfmap', and I can pretend I'm root. > > Yeah, cool. I updated my tools based on the example too. It looks like > I was losing a race, so adding the pipe sync solved my issues. Also, I > think you can only map a range of 1. > >> BTW, Eric, where the heck does one find the latest version of >> util-linux? Latest I could find did not yet know about userns. >> (Once that lands in ubuntu I can drop my nsexec altogether, as well >> as lxc-unshare) > > AFAICT, it hasn't been released yet. It was only in vcs. I had to go > find libuser too. :)
git://git.kernel.org/pub/scm/utils/util-linux/util-linux > I wish there was a cleaner way to do this kind of IPC lock-step. It's > such a common pattern, and it's so unreadable. :) For what it's worth. If you are going to do a combined binary, and you are just going to worry about yourself. You don't have to fork to write /proc/self/uid_map with 0 $old_uid 1. I had originally hoped to do an upcall to validate other writes to /proc/self/uid_map but code was never solid and I went with what works now. Eric ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
