Re: [PATCH] nsenter: fix ability to enter unprivileged containers

yumkam@xxxxxxxxx (Yuriy M. Kaminskiy) · Mon, 18 Apr 2016 17:33:12 +0300

James Bottomley
<James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
writes:

> If you enter it first, you lose privilege for subsequent namespace
> enters,see issue
>
> https://github.com/karelzak/util-linux/issues/315
>
> The fix is to enter the user namespace last of all.

I verified that with *current*/unpatched nsenter,

$ unshare -rm sleep inf &
$ nsenter -t $! -U -m --preserve

works as expected (from regular user [and with unprivileged userns
enabled]).

With this patch it *won't* work [verified], of course (as you'll need
root privileges in userns before joining mount-ns, and you can only
obtain them by entering userns first).

Of course, you can workaround it by invoking nsenter twice:

$ nsenter -t $! -U --preserve nsenter -t $! -m

but same could be said about issue 315: you can workaround it by
manually splitting entering mount-ns and user-ns, something like

# nsenter --mount=/run/build-container/aarch64 nsenter --user=/run/build-container/user

or (if /run/build-container/user is not visible inside mount-ns)

# nsenter --mount=/run/build-container/aarch64 nsenter --user=/dev/fd/3 3</run/build-container/user

(disclaimer: unverified; on my kernel mount-bind fails for mount-ns fds).

> Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
>
> diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
> index d8690db..1525f15 100644
> --- a/sys-utils/nsenter.c
> +++ b/sys-utils/nsenter.c
> @@ -52,13 +52,13 @@ static struct namespace_file {
>  	 * first.  This gives an unprivileged user the potential to
>  	 * enter the other namespaces.
>  	 */
> -	{ .nstype = CLONE_NEWUSER,  .name = "ns/user", .fd = -1 },
>  	{ .nstype = CLONE_NEWCGROUP,.name = "ns/cgroup", .fd = -1 },
>  	{ .nstype = CLONE_NEWIPC,   .name = "ns/ipc",  .fd = -1 },
>  	{ .nstype = CLONE_NEWUTS,   .name = "ns/uts",  .fd = -1 },
>  	{ .nstype = CLONE_NEWNET,   .name = "ns/net",  .fd = -1 },
>  	{ .nstype = CLONE_NEWPID,   .name = "ns/pid",  .fd = -1 },
>  	{ .nstype = CLONE_NEWNS,    .name = "ns/mnt",  .fd = -1 },
> +	{ .nstype = CLONE_NEWUSER,  .name = "ns/user", .fd = -1 },
>  	{ .nstype = 0, .name = NULL, .fd = -1 }
>  };

--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html