[轉]User namespaces – available to play!
User namespaces – available to play!
Over the past few months, Eric Biederman has been working on completing the user namespace. Briefly, unprivileged users can create a user namespace, where he can pretend to be root and start new namespaces (i.e. network and pid) which he will own (Note, creating namespaces in child user namespaces isn’t yet allowed, but will be). With respect to anything he owns – for instance new network interfaces which he creates in his own network namespace – he should have privilege. But he should not be able to escape his existing privileges in the parent user namespace. This finally should allow an unprivileged user to create a new filesystem tree and chroot into it, without risk of maliciously confusing setuid applications on the host (for instance by bind mounting his own /etc/passwd).
Eric’s new design is based on a 1-1 uid mapping (by ranges) from uids
in the container to uids on the host. For instance, uid 0 in the namespace may really be uid 999990 on the host. Users can be pre-allocated their own private ranges to use however they please. For instance each user may get 10,000 uids, with the first user’s range starting at 100,000. The uid and gid mappings are exposed and manipulated through /proc/pid/uid_map and /proc/pid/gid_map, which contain:
namespace_first_uid host_first_uid number_of_uids
For instance if it contains “0 100000 1000″, then uids 0 through 1000 in the namespace will map to uids 100000 through 101000 on the host, respectively. To write to the uid map, you must be privileged in your namespace, and your namespace must have the source ids mapped. (The mappings can be nested in the obvious way). In userspace, we expect to have a small setuid-root program which unprivileged users can call to map uids. That program will consult a root owned file which lists the permitted mappings. Right now we are using /etc/id_permission/uids and /etc/id_permission/gids. If /etc/id_permission/uids has
1000:100000:9999
1001:110000:9999
then uid 1000 (user hallyn) will be allowed to map the uids 100000 through 109999, and 1001 (user jschmoe) will be allowed to map uids 110000 through 119999.
Eric’s git tree is here. His patchset applied to the ubuntu quantal kernel tree is here, and the resulting kernel is built and available at ppa:serge-hallyn/userns-natty.
So you can try it out! Like so:
Start an amazon ec2 instance of precise. Find an ami to use (ami=`ubuntu-cloudimg-query precise`) and start it up (ec2-run-instances -k myid $ami). Log in and update /etc/apt/sources.list to look as follows:
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ quantal main universe
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ quantal main universe
then update (sudo apt-get update && sudo apt-get -y dist-upgrade). Add my userns-natty ppa (sudo add-apt-repository ppa:serge-hallyn/userns-natty) and update again (sudo apt-get update && sudo apt-get -y dist-upgrade), then reboot into the new kernel.
As I’ve said, the uid mapping is in /proc/self/uid_map. On the host that looks like
0 0 4294967295
Grab nsexec from my ppa to create new namespaces (sudo apt-get install nsexec) and run
sudo nsexec -cU /bin/bash
Inside the new namespace, /proc/self/uid_map is empty. So we need to add some mappings. From a root terminal on the host (not in the new namespace), do
echo “0 555550 10″ > /proc/$pid/uid_map
echo “0 555550 10″ > /proc/$pid/gid_map
Where $pid is the process id of the shell in the namespace. The nsexec package includes a utility called uidmap which will do this for you, so you can just do
sudo uidmap $pid 555550 10
(This utility will soon support being run setuid-root and consulting the above-mentioned /etc/id_permission/files)
Now back in the nsexec shell, switch to the new namespaced root userid using newuidexec (from the nsexec package) using:
newuidexec 0
Now you can do:
#id
uid=0(root) gid=0(root) groups=0(root)
#touch /tmp/zzz
#ls -l /root
ls: cannot open directory /root: Permission denied
#ls -l /tmp/zzz
-rw-r--r-- 1 root root 0 May 9 16:45 zzz
while back in your host root shell, you see:
#ls -l /tmp
-rw-r--r-- 1 55550 55550 0 May 9 16:45 zzz
The same thing will happen with all cases where a uid crosses the user->kernel api. For instance if you send credentials over a unix socket to a task in another user namespace, the uid will be converted to a valid mapping in the other user namespace, or, if none exists, to the overflowuid.
So, after many years, user namespaces are real! Perhaps the biggest remaining obstacle to using user namespaces for a real distro container is converting more capable() calls to ns_capable(). Soon.
[轉]User namespaces – available to play!的更多相关文章
- Python 基礎 - 字符轉編碼操作
回顧字符編碼的前世今生 ASCII 只能儲英文或特殊字符,只占一個字節,一個字節8bit,不能儲中文,所以才出現Unicode Unicode 不管是中文或英文,都是占二個字節,一個字節8bit UT ...
- HTML轉PDF - 使用Pechkin套件
剛好跟人討論到HTML轉PDF需求,便對工具進行簡單評估以備不時之需. 網路上比較多人推的是WkHtmlToPdf,如果是用.NET開發,已經有人包成NuGet套件,直接搜尋pechkin就可找到,它 ...
- Python Scopes and Namespaces
Before introducing classes, I first have to tell you something about Python's scope rules. Class def ...
- 用ColorMatrix將Bitmap轉成灰度图
在Android中,若想將整張圖片轉成灰階效果其實有更簡便的方式,只要透過ColorMatrix類別的setSaturation函式將飽和度設為0即可.(您也可以試試從0~1之間的值,看看不同飽和度的 ...
- 多余的Using Namespaces或引用会影响程序的执行效率么?
在.NET程序编写中,需要using相应命名空间或添加相应的References,可有时候没有使用到的命名空间也被添加到了Using Namespaces中,那么,这样会影响程序的执行效率么? 通过示 ...
- 轉發和重定向-JSP
最近在復習JSP,寫案例時遇到轉發和重定向的問題,忽然忘記了好多東西.趕緊搜索了下,感覺還是比較常用的. 轉:http://blog.csdn.net/CYHJRX/article/details/3 ...
- Q郵箱轉移自定義目錄中的郵件
1.之前在Q郵箱上建立了許多規則和收件箱,現在想統一用Mac上的郵局管理 2.Mac上會同步對應郵箱的自定義目錄,此時這些目錄便十分多餘礙眼 3.Q郵箱單頁顯示郵件數量上限是100,這意味著手動轉移十 ...
- XML 命名空间(XML Namespaces)
XML 应用程序 XML CDATA XML 命名空间提供避免元素命名冲突的方法. 命名冲突 在 XML 中,元素名称是由开发者定义的,当两个不同的文档使用相同的元素名时,就会发生命名冲突. 这个 X ...
- ASP.NET MVC 4 部署到 Windows Azure 如何轉換時區設定
由於公司慢慢地開始將新的專案都移往 Windows Azure 雲端平台做網站代管,漸漸地也開始遇到一些小問題,這些問題在還沒上雲端之前通常不會發生,像我們這次遇到的問題就跟顯示時間有關.由於 Win ...
随机推荐
- Springboot01-web
Springboot快速构建 访问http://start.spring.io 构建springboot项目,这里选择版本2.0.4 单击Generate Project按钮下载springboot ...
- Flask-Scrip
介绍及安装 Flask-Script是一个让你的命令行支持自定义命令的工具,它为Flask程序添加一个命令行解释器.可以让我们的程序从命令行直接执行相应的程序. 安装 pip install Flas ...
- Ptyhon变量,常量,注释
变量的命名规则: 1.变量由字母,数字,下划线搭配而成 2.变量不能以数字开头 3.变量也不能是Python的关键字. 4.变量不要有中文 5.名字要有意义 6.名字不要太长 变量的两种命名方式: 1 ...
- Codeforces 488D Strip (set+DP)
D. Strip time limit per test 1 second memory limit per test 256 megabytes input standard input outpu ...
- hashRouter and BrowserRouter
<html><body> <div> <button class="btn" onclick="btnFun();"& ...
- 解决error: Microsoft Visual C++ 14.0 is required 问题
1.https://964279924.ctfile.com/fs/1445568-239446865 2.重新安装 .Net framework 更高的版本:https://support.micr ...
- python 发送json数据操作实例分析 - python
文章来源:嗨学网 敏而好学论坛www.piaodoo.com 欢迎大家相互学习 本文实例讲述了python 发送json数据操作.分享给大家供大家参考,具体如下: # !/usr/bin/env py ...
- leetcode-165周赛-1277-统计全为1的正方形子矩阵
题目描述: 自己的提交: class Solution: def countSquares(self, matrix: List[List[int]]) -> int: if not matri ...
- SQL Join连接
SQL 连接(Joins) SQL join 用于把来自两个或多个表的行结合起来. SQL JOIN SQL JOIN 子句用于把来自两个或多个表的行结合起来,基于这些表之间的共同字段. 最常见的 J ...
- springcloud的config
CONFIG服务端 加入依赖: <dependency> <groupId>org.springframework.cloud</groupId> <arti ...