From: ebiederm@xmission.com (Eric W. Biederman)
To: Karel Zak <kzak@redhat.com>
Cc: util-linux@vger.kernel.org, Neil Horman <nhorman@tuxdriver.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Subject: [PATCH] unshare: Add support for the pid and user namespaces
Date: Fri, 11 Jan 2013 14:53:34 -0800 [thread overview]
Message-ID: <8738y7jpqp.fsf_-_@xmission.com> (raw)
In-Reply-To: <20130111161320.GA16206@x2.net.home> (Karel Zak's message of "Fri, 11 Jan 2013 17:13:20 +0100")
- Update the unshare application to support the pid and user namespaces.
- Update the man page for the new options
- Fix typo in the man page where UTS was spelled UTC.
- Remove the vestigal support for running a suid unshare.
After unsharing a user namespace setuid(getuid()) won't work because
no uid or gid mappings have been specified yet. So it is just easier not
to have any support for running suid.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
This is on top of unshare with Neil's unshare patch reverted.
sys-utils/unshare.1 | 19 +++++++++++++++----
sys-utils/unshare.c | 27 ++++++++++++++++++---------
2 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1
index 1325e34..8cdc6e5 100644
--- a/sys-utils/unshare.1
+++ b/sys-utils/unshare.1
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii lscpu.1
.\"
-.TH UNSHARE 1 "October 2008" "util-linux" "User Commands"
+.TH UNSHARE 1 "January 2013" "util-linux" "User Commands"
.SH NAME
unshare \- run program with some namespaces unshared from parent
.SH SYNOPSIS
@@ -31,6 +31,13 @@ process will have independent IPv4 and IPv6 stacks, IP routing tables, firewall
rules, the \fI/proc/net\fP and \fI/sys/class/net\fP directory trees, sockets
etc. (\fBCLONE_NEWNET\fP flag).
.TP
+.BR "pid namespace"
+children will have a distinct set of pid to process mappings than their parent.
+(\fBCLONE_NEWPID\fP flag).
+.TP
+.BR "user namespace"
+process will have distinct set of uids, gids and capabilities. (\fBCLONE_NEWUSER\fP flag).
+.TP
See the \fBclone\fR(2) for exact semantics of the flags.
.SH OPTIONS
.TP
@@ -41,16 +48,20 @@ Print a help message,
Unshare the mount namespace,
.TP
.BR \-u , " \-\-uts"
-Unshare the UTC namespace,
+Unshare the UTS namespace,
.TP
.BR \-i , " \-\-ipc"
Unshare the IPC namespace,
.TP
.BR \-n , " \-\-net"
Unshare the network namespace.
+.TP
+.BR \-p , " \-\-pid"
+Unshare the pid namespace.
+.TP
+.BR \-U , " \-\-user"
+Unshare the user namespace.
.SH NOTES
-The unshare command drops potential privileges before executing the
-target program. This allows to setuid unshare.
.SH SEE ALSO
.BR unshare (2),
.BR clone (2)
diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
index 9de997b..00cc2cf 100644
--- a/sys-utils/unshare.c
+++ b/sys-utils/unshare.c
@@ -41,6 +41,12 @@
#ifndef CLONE_NEWNET
# define CLONE_NEWNET 0x40000000
#endif
+#ifndef CLONE_NEWUSER
+# define CLONE_NEWUSER 0x10000000
+#endif
+#ifndef CLONE_NEWPID
+# define CLONE_NEWPID 0x20000000
+#endif
#ifndef HAVE_UNSHARE
# include <sys/syscall.h>
@@ -63,7 +69,9 @@ static void usage(int status)
fputs(_(" -m, --mount unshare mounts namespace\n"
" -u, --uts unshare UTS namespace (hostname etc)\n"
" -i, --ipc unshare System V IPC namespace\n"
- " -n, --net unshare network namespace\n"), out);
+ " -n, --net unshare network namespace\n"
+ " -p, --pid unshare pid namespace\n"
+ " -U, --user unshare user namespace\n"), out);
fputs(USAGE_SEPARATOR, out);
fputs(USAGE_HELP, out);
@@ -82,6 +90,8 @@ int main(int argc, char *argv[])
{ "uts", no_argument, 0, 'u' },
{ "ipc", no_argument, 0, 'i' },
{ "net", no_argument, 0, 'n' },
+ { "pid", no_argument, 0, 'p' },
+ { "user", no_argument, 0, 'U' },
{ NULL, 0, 0, 0 }
};
@@ -94,7 +104,7 @@ int main(int argc, char *argv[])
textdomain(PACKAGE);
atexit(close_stdout);
- while((c = getopt_long(argc, argv, "hVmuin", longopts, NULL)) != -1) {
+ while((c = getopt_long(argc, argv, "hVmuinpU", longopts, NULL)) != -1) {
switch(c) {
case 'h':
usage(EXIT_SUCCESS);
@@ -113,6 +123,12 @@ int main(int argc, char *argv[])
case 'n':
unshare_flags |= CLONE_NEWNET;
break;
+ case 'p':
+ unshare_flags |= CLONE_NEWPID;
+ break;
+ case 'U':
+ unshare_flags |= CLONE_NEWUSER;
+ break;
default:
usage(EXIT_FAILURE);
}
@@ -124,13 +140,6 @@ int main(int argc, char *argv[])
if(-1 == unshare(unshare_flags))
err(EXIT_FAILURE, _("unshare failed"));
- /* drop potential root euid/egid if we had been setuid'd */
- if (setgid(getgid()) < 0)
- err(EXIT_FAILURE, _("cannot set group id"));
-
- if (setuid(getuid()) < 0)
- err(EXIT_FAILURE, _("cannot set user id"));
-
execvp(argv[optind], argv + optind);
err(EXIT_FAILURE, _("exec %s failed"), argv[optind]);
--
1.7.5.4
next prev parent reply other threads:[~2013-01-11 22:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-11 10:29 [PATCH] enter: new command (light wrapper around setns) Eric W. Biederman
2013-01-11 10:54 ` Michael Kerrisk (man-pages)
2013-01-11 11:10 ` Eric W. Biederman
2013-01-11 13:13 ` Ángel González
2013-01-12 8:59 ` Michael Kerrisk (man-pages)
2013-01-11 16:13 ` Karel Zak
2013-01-11 22:11 ` Eric W. Biederman
2013-01-12 9:01 ` Michael Kerrisk (man-pages)
2013-01-11 22:46 ` [PATCH] nsenter: " Eric W. Biederman
2013-01-11 23:45 ` Mike Frysinger
2013-01-14 8:28 ` Karel Zak
2013-01-17 0:33 ` [PATCH 0/5] nsenter review comment fixes Eric W. Biederman
2013-01-17 0:34 ` [PATCH 1/5] nsenter: Enhance waiting for a child process Eric W. Biederman
2013-01-17 0:34 ` [PATCH 2/5] nsenter: Properly spell significant in a comment Eric W. Biederman
2013-01-17 0:35 ` [PATCH 3/5] nsenter: Add const to declarations where possible Eric W. Biederman
2013-01-17 0:35 ` [PATCH 4/5] nsenter: Replace a bare strtoul with strtoul_or_err Eric W. Biederman
2013-01-17 0:36 ` [PATCH 5/5] unshare,nsenter: Move the old libc handling into a common header namespace.h Eric W. Biederman
2013-01-17 3:11 ` [PATCH 0/5] nsenter review comment fixes Mike Frysinger
2013-01-17 12:35 ` Karel Zak
2013-01-15 18:51 ` [PATCH] nsenter: new command (light wrapper around setns) Serge E. Hallyn
2013-01-17 12:34 ` Karel Zak
2013-01-11 22:53 ` Eric W. Biederman [this message]
2013-01-17 12:35 ` [PATCH] unshare: Add support for the pid and user namespaces Karel Zak
2013-01-17 12:56 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8738y7jpqp.fsf_-_@xmission.com \
--to=ebiederm@xmission.com \
--cc=kzak@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=serge@hallyn.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.