~alpine/devel

2 2

[alpine-devel] uuns: Unprivileged user namespaces on hardened kernel

Steven McDonald <steven@steven-mcdonald.id.au>
Details
Message ID
<20170522140741.52076a6b@tuvix.sjm.so>
Sender timestamp
1495454861
DKIM signature
missing
Download raw message
6 years ago 
Hi there,

I've been playing around with unprivileged user namespaces on Alpine
and decided to write a simple tool to make them feasible (without
installing LXC) on Alpine's hardened kernel.

I've just pushed it to GitHub:

  https://github.com/stevenjm/uuns

It's essentially the same thing as "unshare --user", but the executable
has the file capabilities necessary to create user namespaces, and has
execution restricted to a "uuns" group. This provides an easy way for
the administrator to control permissions for creating unprivileged
namespaces; simply add users to the "uuns" group.

I'm interested in feedback. If this is something of interest to the
distribution, I'll try my hand at creating a package for it.

--
Steven


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
7heo <7heo@mail.com>
Details
Message ID
<q4mcvl.oqcvpg.2zmlau-qmf@gmx.com>
In-Reply-To
<20170522140741.52076a6b@tuvix.sjm.so> (view parent)
Sender timestamp
1495459199
DKIM signature
missing
Download raw message
6 years ago 
I like its simplicity and default behavior to start a shell.

I am not very familiar with namespaces myself, but this looks like a good idea.

I'll try it when I have time.

Cheers,
Theo. 

On Monday, May 22, 2017, Steven McDonald wrote:
> Hi there,
> 
> I've been playing around with unprivileged user namespaces on Alpine
> and decided to write a simple tool to make them feasible (without
> installing LXC) on Alpine's hardened kernel.
> 
> I've just pushed it to GitHub:
> 
>   https://github.com/stevenjm/uuns
> 
> It's essentially the same thing as "unshare --user", but the executable
> has the file capabilities necessary to create user namespaces, and has
> execution restricted to a "uuns" group. This provides an easy way for
> the administrator to control permissions for creating unprivileged
> namespaces; simply add users to the "uuns" group.
> 
> I'm interested in feedback. If this is something of interest to the
> distribution, I'll try my hand at creating a package for it.
> 
> --
> Steven
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 
>
Steven McDonald <steven@steven-mcdonald.id.au>
Details
Message ID
<20170528043255.6e7e68b3@tuvix.sjm.so>
In-Reply-To
<q4mcvl.oqcvpg.2zmlau-qmf@gmx.com> (view parent)
Sender timestamp
1495938775
DKIM signature
missing
Download raw message
6 years ago 
On Mon, 22 May 2017 13:19:59 +0000
7heo <7heo@mail.com> wrote:

> I like its simplicity and default behavior to start a shell.
> 
> I am not very familiar with namespaces myself, but this looks like a
> good idea.
> 
> I'll try it when I have time.

Thanks for the feedback.

After some more experimentation, I think this is actually not very
useful. The same thing can be accomplished by simply creating the
namespace as root and then mapping a different user to root inside the
namespace. The documentation had initially lead me to believe otherwise.

I'll leave this up on GitHub in case somebody else has a use for it, but
I probably won't be doing anything else with it myself.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)