Hi there,
I've been playing around with unprivileged user namespaces on Alpine
and decided to write a simple tool to make them feasible (without
installing LXC) on Alpine's hardened kernel.
I've just pushed it to GitHub:
https://github.com/stevenjm/uuns
It's essentially the same thing as "unshare --user", but the executable
has the file capabilities necessary to create user namespaces, and has
execution restricted to a "uuns" group. This provides an easy way for
the administrator to control permissions for creating unprivileged
namespaces; simply add users to the "uuns" group.
I'm interested in feedback. If this is something of interest to the
distribution, I'll try my hand at creating a package for it.
--
Steven
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
I like its simplicity and default behavior to start a shell.
I am not very familiar with namespaces myself, but this looks like a good idea.
I'll try it when I have time.
Cheers,
Theo.
On Monday, May 22, 2017, Steven McDonald wrote:
> Hi there,> > I've been playing around with unprivileged user namespaces on Alpine> and decided to write a simple tool to make them feasible (without> installing LXC) on Alpine's hardened kernel.> > I've just pushed it to GitHub:> > https://github.com/stevenjm/uuns> > It's essentially the same thing as "unshare --user", but the executable> has the file capabilities necessary to create user namespaces, and has> execution restricted to a "uuns" group. This provides an easy way for> the administrator to control permissions for creating unprivileged> namespaces; simply add users to the "uuns" group.> > I'm interested in feedback. If this is something of interest to the> distribution, I'll try my hand at creating a package for it.> > --> Steven> > > ---> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org> Help: alpine-devel+help@lists.alpinelinux.org> ---> >
On Mon, 22 May 2017 13:19:59 +0000
7heo <7heo@mail.com> wrote:
> I like its simplicity and default behavior to start a shell.> > I am not very familiar with namespaces myself, but this looks like a> good idea.> > I'll try it when I have time.
Thanks for the feedback.
After some more experimentation, I think this is actually not very
useful. The same thing can be accomplished by simply creating the
namespace as root and then mapping a different user to root inside the
namespace. The documentation had initially lead me to believe otherwise.
I'll leave this up on GitHub in case somebody else has a use for it, but
I probably won't be doing anything else with it myself.
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---