The mount() command associated with this error message is not about
unmounting the proc fs, but rather about changing the propagation
of mount events for the proc fs. Rewrite the error message to
reflect this.
Variable cap was 32 bits and shifting it by 64 bits resulted to the shift
going over a variable boundary.
CID: 360799
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Karel Zak <kzak@redhat.com>
After unshare(...) is called, /proc/self/ns/pid does not change.
Instead, only /proc/self/ns/pid_for_children is affected. So bind-mounting
/proc/self/ns/pid results in the original namespace getting bind-mounted.
Fix this by instead bind-mounting ns/pid_for_children.
[kzak@redhat.com: - add ns/time_for_children
- remove C++ comments
- resolve commit conflicts]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Karel Zak <kzak@redhat.com>
The --map-user and --map-group options can now be specified by either
uid/gid or user/group name.
Signed-off-by: Matthew Harm Bekkema <id@mbekkema.name>
Two new options are added: `--map-user=<uid>` and `--map-group=<gid>`
for custom user and group mappings respectively. These are just
generalizations of the existing `--map-root-user` and
`--map-current-user` options.
As a side effect of this commit, specifying both `--map-root-user` and
`--map-current-user` no longer causes an error. Instead, the last
occurrence takes precedence.
Addresses: https://github.com/karelzak/util-linux/issues/885
Signed-off-by: Matthew Harm Bekkema <id@mbekkema.name>
While working on getting time namespace support into 'nsenter' it was
not possible to use '-t' to enter a time namespace as '-t' is the short
option for '--target'. Fortunately '-T' is still available in 'nsenter'
and 'unshare' and therefore let's change 'unshare' to use the same flag
for the time namespace as 'nsenter'.
Signed-off-by: Adrian Reber <areber@redhat.com>
This adds support to unshare for time namespaces. With the newly added
options '-t, --time' and '--monotonic' and '--boottime' it is now
possible to change CLOCK_MONOTONIC and CLOCK_BOOTTIME in a new time
namespace.
The time namespace has been merged in kernel version 5.6 and an easy way
to test it is using CLOCK_BOOTTIME and the uptime command:
# uptime
11:08:26 up 20:28, 1 user, load average: 0.00, 0.00, 0.00
# ./unshare --fork --time --boottime 100000000 uptime
11:08:29 up 1158 days, 6:15, 1 user, load average: 0.00, 0.00, 0.00
Signed-off-by: Adrian Reber <areber@redhat.com>
A few lines of the help message were unaligned in the output because of
mixes use of tabs and space. This removes all tabs and replaces them
with spaces.
Signed-off-by: Adrian Reber <areber@redhat.com>
'c' was missing from the optstring, causing the error:
$ unshare --user -c
unshare: invalid option -- 'c'
Try 'unshare --help' for more information.
Fixes: 4175f29e62 ("unshare: add --map-current-user option")
Signed-off-by: Matthew Harm Bekkema <id@mbekkema.name>
Add the --keep-caps option to unshare to preserve capabilities that
are granted when creating a new user namespace. This allows the child
process to retain privilege within the new user namespace without also
being UID 0.
Add the --map-current-user option to unshare. This option maps the
current effective UID and GID in the new user namespace so that the
inner and outer credentials match.
Signed-off-by: James Peach <jpeach@apache.org>
This patch introduces two new parameters to set the
user ID and the group ID of the program to be executed.
Setting group ID also drops supplementary groups.
The option names used are the same as for nsenter,
-S, --setuid and -G, --setgid.
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
This patch instroduces two new parameters to set the new
root and the new working directory in this new root.
This allows to combine "unshare chroot" in one command,
and doing like this the /proc filesystem is correctly
mounted in the new root with "--mount-proc".
The new parameters are -R, --root and -w, --wd. The names
are the same as for nsenter, except for "-r" that is already
used by "--map-root-user" and replaced by "-R".
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
The code and man page do not assume -s to be short alias to
--setgroups.
This commit also a little bit change --help output formatting to make
it more readable and structured.
Addresses: https://github.com/karelzak/util-linux/pull/692
Signed-off-by: Karel Zak <kzak@redhat.com>
This allows to conveniently kill the entire process tree
below the forked program, a common problem when scripting
tasks that need to reliably fully terminate without leaving
reparented subprocesses behind.
The example added to the man page shows the most common use.
Implemented using prctl(PR_SET_PDEATHSIG, ...).
changed in include/c.h and applied via sed:
sed -i 's/fprintf.*\(USAGE_MAN_TAIL.*\)/printf(\1/' $(git ls-files -- "*.c")
sed -i 's/print_usage_help_options\(.*\);/printf(USAGE_HELP_OPTIONS\1);/' $(git ls-files -- "*.c")
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Consolidate --help and --version descriptions. We are
now able to align them to the other options.
We changed include/c.h. The rest of this patch was
generated by sed, plus manually setting the right
alignment numbers. We do not change anything but
white spaces in the --help output.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
(Original patch and commit message edited by Rudi.)
gcc-7 adds -Wimplicit-fallthrough=3 to our default flag -Wextra.
This warning can be silenced by using comment /* fallthrough */
which is also recognized by other tools like coverity. There are
also other valid comments (see man gcc-7) but we consolidate this
style now.
We could have also used __attribute__((fallthrough)) but the comment
looks nice and does not need to be ifdef'ed for compatibility.
Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=7652
Reference: https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Reviewed-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Suggested-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
text-utils/tailf.c:69:21: warning: Using plain integer as NULL pointer
Since many 'struct option' has used zero as NULL make them more readable in
same go by reindenting, and using named argument requirements.
Reference: https://lwn.net/Articles/93577/
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Replace busy-loop with waiting on pipe from parent.
Note: reduces racing probability, but still there are window where
it is possible (if parent unshare process will be [externally] killed
between successful read(fds[0]) and mount() calls).
[kzak@redhat.com: - use all-io.h to avoid loops around write() and read(),
- use less generic 0x06 byte to sync parent and child]
Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
We can create a reference (bind mount) to the new namespace after
unshare(2), but it does not make sense to do it within unshared
namespace. (And if I read kernel fs/namespace.c: do_loopback()
correctly than copy mount bind mounts of /proc/<pid>/ns/mnt between
namespaces is unsupported.)
This patch bypass this problem by fork() where parent continue as
usually (call unshare(2), setup another things, etc.), but child
waits for /proc/[ppid]/ns/mnt inode number change (the ino is
changed after parent's unshare(2)) and then it bind mounts the new
namespaces and exit.
Signed-off-by: Karel Zak <kzak@redhat.com>
For nsenter(1) we already support namespace specification by file
(e.g. bind mount to namespace /proc/[pid]/ns/[type] file). For
example:
# nsenter --uts=/some/path
This patch extends unshare(1) to setup the bind mount for specified
namespace, for example
# touch /some/path
# unshare --uts=/some/path hostname FOO
# nsenter --uts=/some/path hostname
FOO
Note that the problem is mount namespace, because create bind mount
to ns/mount file within unshared namespace does not make sense.
Based on patch from Lubomir Rintel <lkundrak@v3.sk>.
Signed-off-by: Karel Zak <kzak@redhat.com>
After "unshare --mount" users assume that mount operations within the
new namespaces are unshared (invisible for the rest of the system).
Unfortunately, this is not true and the behavior depends on the
current mount propagation setting. The kernel default is "private",
but for example systemd based distros use "shared". The solution is to
use (for example) "mount --make-private" after unshare(1).
I have been requested many times to provide less fragile and more
unified unshared mount setting *by default* to make things user
friendly.
The patch forces unshare(1) to explicitly use MS_REC|MS_PRIVATE for all
tree by default.
We can use something less (e.g MS_SLAVE), but "private" is the kernel
default, so for many users this change (feature) will be invisible.
This feature is possible to disable by "--propagation unchanged" or it's
possible to specify another propagation flag, supported are:
<slave|shared|private|unchanged>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Since Linux 3.19 the file /proc/self/setgroups controls setgroups(2)
syscall usage in user namespaces. This patch provides command line knob
for this feature.
The new --setgroups does not automatically implies --user to avoid
complexity, it's user's responsibility to use it in right context. The
exception is --map-root-user which is mutually exclusive to
--setgroups=allow.
CC: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
In rare cases droping groups with setgroups(0, NULL) is an operation
that can grant a user additional privileges. User namespaces were
allwoing that operation to unprivileged users and that had to be
fixed.
Update unshare --map-root-user to disable the setgroups operation
before setting the gid_map.
This is needed as after the security fix gid_map is restricted to
privileged users unless setgroups has been disabled.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This adds a concise description of a tool to its usage text.
A first form of this patch was proposed by Steven Honeyman
(see http://www.spinics.net/lists/util-linux-ng/msg09994.html).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Since 6728ca10 we are using MS_PRIVATE and MS_REC which are not defined
in some systems's sys/mount.h.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
This makes it very convenient to use make use of privileged actions
on CONFIG_USER_NS enabled kernels, without having to manually tinker
with uid_map and gid_map to obtain required credentials (as those
given upon unshare() vanish with call to execve() and lot of userspace
checks for euid==0 anyway).
Usage example:
$ unshare --uts
unshare: unshare failed: Operation not permitted
$ unshare --user --uts
[nfsnobody@odvarok ~]$ hostname swag
hostname: you must be root to change the host name
$ unshare -r --uts
[root@odvarok util-linux]# hostname swag
[root@odvarok util-linux]#
[kzak@redhat.com: - move code to map_id()
- use all-io.h
- add paths to pathnames.h]
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Karel Zak <kzak@redhat.com>
Based on patch from Mike Frysinger <vapier@gentoo.org>.
Mike Frysinger wrote:
When it comes to pid namespaces, it's also useful for /proc to reflect
the current namespace. Again, this is easy to pull off, but annoying
to force everyone to do it themselves. So let's add a --mount-proc to
do the magic for us. The downside is that this also implies creating
a mount namespace as mounting the new pid namespace /proc over top the
system one will quickly break all other processes on the system.
Signed-off-by: Karel Zak <kzak@redhat.com>
Acked-by: Mike Frysinger <vapier@gentoo.or>
Karel Zak
Johan Herland
Sami Kerola
Daan De Meyer
Toni Uhlig
michael-dev
Rosen Penev
Matthew Harm Bekkema
Adrian Reber
James Peach
Laurent Vivier
Niklas Hambüchen
Ruediger Meier
Serge Hallyn
Yuriy M. Kaminskiy
Benno Schulenberg
Eric W. Biederman
Lubomir Rintel