X-Original-To: alpine-devel@lists.alpinelinux.org Received: from palpatine.steven-mcdonald.id.au (palpatine.steven-mcdonald.id.au [173.230.144.109]) by lists.alpinelinux.org (Postfix) with ESMTP id 4B9F55C4AAA for ; Mon, 22 May 2017 12:07:46 +0000 (GMT) Received: from tuvix.sjm.so (s559674d0.adsl.online.nl [85.150.116.208]) by palpatine.steven-mcdonald.id.au (Postfix) with ESMTPSA id 67B0840 for ; Mon, 22 May 2017 22:07:45 +1000 (AEST) Date: Mon, 22 May 2017 14:07:41 +0200 From: Steven McDonald To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] uuns: Unprivileged user namespaces on hardened kernel Message-ID: <20170522140741.52076a6b@tuvix.sjm.so> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-unknown-openbsd6.1) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi there, I've been playing around with unprivileged user namespaces on Alpine and decided to write a simple tool to make them feasible (without installing LXC) on Alpine's hardened kernel. I've just pushed it to GitHub: https://github.com/stevenjm/uuns It's essentially the same thing as "unshare --user", but the executable has the file capabilities necessary to create user namespaces, and has execution restricted to a "uuns" group. This provides an easy way for the administrator to control permissions for creating unprivileged namespaces; simply add users to the "uuns" group. I'm interested in feedback. If this is something of interest to the distribution, I'll try my hand at creating a package for it. -- Steven --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---