From: Karel Zak <kzak@redhat.com>
To: bobtfish@bobtfish.net
Cc: util-linux@vger.kernel.org, Eric Biederman <ebiederm@xmission.com>
Subject: Re: [PATCH] Setting uid / gid is generally useful in nseneter
Date: Mon, 28 Jul 2014 13:56:30 +0200 [thread overview]
Message-ID: <20140728115630.GJ8533@x2.net.home> (raw)
In-Reply-To: <1406406174-20938-1-git-send-email-bobtfish@bobtfish.net>
On Sat, Jul 26, 2014 at 01:22:54PM -0700, bobtfish@bobtfish.net wrote:
> It's useful to be able to set the UID/GID even when not using user namespaces
> (for example when creating a non-root shell in a pre-existing docker container)
>
> Signed-off-by: Tomas Doran <bobtfish@bobtfish.net>
> ---
> sys-utils/nsenter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
> index d57edc8..23798f9 100644
> --- a/sys-utils/nsenter.c
> +++ b/sys-utils/nsenter.c
> @@ -328,7 +328,7 @@ int main(int argc, char *argv[])
> if (do_fork == 1)
> continue_as_child();
>
> - if (namespaces & CLONE_NEWUSER) {
> + if (uid > 0 || gid > 0) {
Well, it breaks the current behavior (the default for CLONE_NEWUSER
is UID=0 and GID=0).
The question is this is the right direction, because I guess that the next
patch for nsenter(1) will be "please, add supplementary groups support" ;-)
Maybe the best will be to add to su(1) support for namespaces, something
like:
su --ns <pid>[:mount,uts,ipc,net,pid,user]
to enter namespaces after authenticate (if required) and before
identity change. Not sure how huge is this Pandora's box, but it's
definitely the final solution for all the requirements, because su(1)
already supports all the UID/GID related features.
Eric, any note?
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next prev parent reply other threads:[~2014-07-28 11:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-26 20:22 [PATCH] Setting uid / gid is generally useful in nseneter bobtfish
2014-07-28 11:56 ` Karel Zak [this message]
2014-07-28 19:24 ` Eric W. Biederman
2014-07-29 11:23 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140728115630.GJ8533@x2.net.home \
--to=kzak@redhat.com \
--cc=bobtfish@bobtfish.net \
--cc=ebiederm@xmission.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox