On Sat, Jul 26, 2014 at 01:22:54PM -0700, bobtfish@xxxxxxxxxxxx wrote:
> It's useful to be able to set the UID/GID even when not using user namespaces
> (for example when creating a non-root shell in a pre-existing docker container)
>
> Signed-off-by: Tomas Doran <bobtfish@xxxxxxxxxxxx>
> ---
> sys-utils/nsenter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
> index d57edc8..23798f9 100644
> --- a/sys-utils/nsenter.c
> +++ b/sys-utils/nsenter.c
> @@ -328,7 +328,7 @@ int main(int argc, char *argv[])
> if (do_fork == 1)
> continue_as_child();
>
> - if (namespaces & CLONE_NEWUSER) {
> + if (uid > 0 || gid > 0) {
Well, it breaks the current behavior (the default for CLONE_NEWUSER
is UID=0 and GID=0).
The question is this is the right direction, because I guess that the next
patch for nsenter(1) will be "please, add supplementary groups support" ;-)
Maybe the best will be to add to su(1) support for namespaces, something
like:
su --ns <pid>[:mount,uts,ipc,net,pid,user]
to enter namespaces after authenticate (if required) and before
identity change. Not sure how huge is this Pandora's box, but it's
definitely the final solution for all the requirements, because su(1)
already supports all the UID/GID related features.
Eric, any note?
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
