bind mounting namespace inodes for unprivileged users
James.Bottomley at HansenPartnership.com
Wed May 4 13:16:42 UTC 2016
On Wed, 2016-05-04 at 10:44 +0200, Karel Zak wrote:
> On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote:
> > Right at the moment, unprivileged users cannot call mount --bind to
> > create a permanent copy of any of their namespaces. This is
> > annoying
> > because it means that for entry to long running containers you have
> > to
> > spawn an undying process and use nsenter via the /proc/<pid>/ns
> > files.
> Well, unshare is able to create permanent namespaces and the bind
> mounts and nsenter is able to follow these files, but you need root
> permissions to create this stuff.
> touch /home/kzak/ns
> sudo unshare --uts=/home/kzak/ns
> <exit namespace>
> sudo nsenter --uts=/home/kzak/ns
> it means you really do not need any process in the namespace.
Yes, I do this when I'm root.
> Not sure about unprivileged users, it always sounds like a game with
> Pandora's box ;-)
But that's currently my specific problem: binding a container when I'm
an unprivileged user. I was thinking of persuading mount to do it, but
unshare could as well, provided it's setuid root. I'm leery of
proliferating setuid root binaries, which is why I was looking at
mount, but I could easily (more easily than mount) make unshare do it
if that's preferred.
More information about the Containers