Re: unshare -m for non-root user

["U.Mutlu" <for-gmane@mutluit.com>]

Isaac Dunham wrote on 11/14/2015 07:17 PM:
> On Sat, Nov 14, 2015 at 08:25:10AM +0100, U.Mutlu wrote:
>> Eric W. Biederman wrote on 11/14/2015 04:53 AM:
>>> "U.Mutlu" <for-gmane@mutluit.com> writes:
>>>
>>>> Karel Zak wrote on 10/30/2015 11:22 AM:
>>>>> On Fri, Oct 30, 2015 at 03:09:15AM +0100, U.Mutlu wrote:
>>>>>> Hi,
>>>>>> I wonder why "unshare -m" doesn't work for an unpriviledged user:
>>>>>>
>>>>>> $ unshare -m /bin/bash
>>>>>> unshare: unshare failed: Operation not permitted
>>>>>> $ echo $?
>>>>>> 1
>>>>>> $ ls -l `which unshare`
>>>>>> -rwxr-xr-x 1 root root 14640 Mar 30  2015 /usr/bin/unshare
>>>>>>
>>>>>> Funny thing: when making the binary setuid then it works.
>>>>>> But I would prefer a working original version in the OS repository.
>>>>>>
>>>>>> OS: Debian 8
>>>>>>
>>>>>> # dpkg -l | grep -i util-linux
>>>>>> ii  util-linux                                 2.25.2-6            amd64
>>>>>> Miscellaneous system utilities
>>>>>>
>>>>>> Is this a bug, or is it not supposed to work for non-root users?
>>>>>
>>>>> man 2 unshare:
>>>>>
>>>>> CLONE_NEWNS
>>>>>
>>>>> This  flag has the same effect as the clone(2) CLONE_NEWNS flag.
>>>>> Unshare the mount namespace, so that the calling process has a private
>>>>> copy of its namespace which is not shared with any other process.
>>>>> Specifying this flag automatically implies CLONE_FS as well.  Use of
>>>>> CLONE_NEWNS requires the CAP_SYS_ADMIN capability.
>>>>>                            ^^^^^^^^^^^^
>>>>>
>>>>> .. so yes, it's expected behavior.
>>>>>
>>>>>       Karel
>>>>
>>>> I would say that the bug lies in the wrong file permissions.
>>>> chmod u+s fixes the bug, and I suggest that this should be the default.
>>>> Then non-root users can use it too.
>>>
>>> There is no bug.  There are real dangers in creating a new mount
>>> namespace as you can fool suid root applications like passwd.
>>
>> Any links to further info on that?
>
> To get a root shell, if you can run 'mount':
>
> Create a new file 'fakepasswd' containing this line (remove any newlines
> and spaces):
> root:$6$cKRXgPQf2npI1kN5$OaKLtkxZuEHgblQAV8s8ynmGfwV6w1GvdKPXVU1ZOVRk/dy4DO5pYv6CeBj4/Lr2KExSkXribZ4rerTVACQgi/:0:0:root:/root:/bin/ash
>
> Overmount /etc/passwd with that file:
> mount -o bind fakepasswd /etc/passwd
>
> Run 'su'.
> Press enter.
>
> And you're root.
> Then you can unmount /etc/passwd and change all passwords so you have
> permanent root.
>
> There are methods that you could use to make that particular example fail,
> but there are too many ways to do that sort of trick...
>
> HTH,
> Isaac Dunham

On my uptodate Debian 8 box I get this:
$ mount -o bind fakepasswd /etc/passwd
mount: only root can use "--options" option