[systemd-devel] systemd-nspawn create container under unprivileged user
Alban Crequy
alban.crequy at gmail.com
Thu Feb 5 14:38:54 PST 2015
On 5 February 2015 at 12:48, Vasiliy Tolstov <v.tolstov at selfip.ru> wrote:
>
> 2015-02-05 12:44 GMT+03:00 Alban Crequy <alban.crequy at gmail.com>:
>>
>> Manual page namespaces(7):
>>
>> Creation of new namespaces using clone(2) and unshare(2) in most
>> cases
>> requires the CAP_SYS_ADMIN capability. User namespaces are the
>> exception: since Linux 3.8, no privilege is required to create a
>> user
>> namespace.
>
>
> So as i understand i can't create full featured container with network under
> non root user (and not have cap_sys_admin)
caps like CAP_SYS_ADMIN don't have an global meaning anymore but
refers to operations a process can do *in its current namespace*. An
unprivileged process (uid!=0, without cap_sys_admin) can join a user
namespace and get uid=0 & cap_sys_admin for operations inside the user
namespace, but it will still have uid!=0 & !cap_sys_admin for
operations in the parent user namespace.
user_namespaces(7) contains userns_child_exec.c and it creates a fully
featured container with network without being root. (I attached a
patched version I was testing)
# # Because I'm using the kernel patched by my distribution
# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
$ gcc -lcap -o userns_child_exec userns_child_exec.c
Here it seems to work:
alban at alban:~$ ls -l /tmp/userns_child_exec
-rwxr-xr-x 1 alban alban 14488 Feb 5 23:24 /tmp/userns_child_exec
alban at alban:~$ id -u
1000
alban at alban:~$ ip link # ---> will show lo, eth0, wlan0...
alban at alban:~$ /tmp/userns_child_exec -p -m -U -M '0 1000 1' -G '0
1000 1' -n bash
About to exec bash
root at alban:~# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root at alban:~# ip link # ---> only lo visible in this namespace
Cheers,
Alban
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userns_child_exec.patch
Type: text/x-patch
Size: 1483 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150205/6566cc87/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userns_child_exec.c
Type: text/x-csrc
Size: 9047 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150205/6566cc87/attachment.c>
More information about the systemd-devel
mailing list