From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Karel Zak <kzak@redhat.com>
Cc: util-linux@vger.kernel.org, ebiederm@xmission.com
Subject: Re: [PATCH] nsenter: fix ability to enter unprivileged containers
Date: Mon, 18 Apr 2016 13:28:15 -0400 [thread overview]
Message-ID: <1461000495.7385.18.camel@HansenPartnership.com> (raw)
In-Reply-To: <20160418171103.lcbrxvaldcyhemd3@ws.net.home>
On Mon, 2016-04-18 at 19:11 +0200, Karel Zak wrote:
> On Mon, Apr 18, 2016 at 11:37:34AM -0400, James Bottomley wrote:
> > OK, so if you want me to reply properly, you're going to have to keep
> > my address in the cc list.
> >
> > > > If you enter it first, you lose privilege for subsequent
> > > namespace
> > > > enters,see issue
> > > >
> > > > https://github.com/karelzak/util-linux/issues/315
> > > >
> > > > The fix is to enter the user namespace last of all.
> > >
> > > I verified that with *current*/unpatched nsenter,
> > >
> > > $ unshare -rm sleep inf &
> > > $ nsenter -t $! -U -m --preserve
> > >
> > > works as expected (from regular user [and with unprivileged userns
> > > enabled]).
> > >
> > > With this patch it *won't* work [verified], of course (as you'll need
> > > root privileges in userns before joining mount-ns, and you can only
> > > obtain them by entering userns first).
> >
> > So we're using userns for different things. I'm using it to remove
> > privilege (so on my userns implementation root in the host enters but
> > on becoming root in the userns, it can do nothing other than write to
> > its own files) and you're using it to enhance privilege. It looks like
> > these two things will always be mutually exclusive, so perhaps we need
> > an extra flag to nsenter to say do the userns first or last?
>
> That's what I have talked about at github -- see Eric's comment in the
> code, the user NS is the first in the array for a good reason. May be
> it would be really better to add --user-{first,last} options to
> specify when you want to enter user NS.
OK, I'll code this up; hang on.
James
next prev parent reply other threads:[~2016-04-18 17:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 12:26 [PATCH] nsenter: fix ability to enter unprivileged containers James Bottomley
2016-04-18 14:33 ` Yuriy M. Kaminskiy
2016-04-18 15:51 ` Yuriy M. Kaminskiy
2016-04-18 15:37 ` James Bottomley
2016-04-18 15:50 ` James Bottomley
2016-04-18 17:11 ` Karel Zak
2016-04-18 17:28 ` James Bottomley [this message]
2016-04-18 18:26 ` Eric W. Biederman
2016-04-18 20:56 ` James Bottomley
2016-04-18 21:31 ` Eric W. Biederman
2016-04-22 9:05 ` Karel Zak
2016-04-18 19:40 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1461000495.7385.18.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ebiederm@xmission.com \
--cc=kzak@redhat.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.