User namespaces progress [LWN.net]

User namespaces progress

Posted Jan 3, 2013 7:59 UTC (Thu) by ebiederm (subscriber, #35028) [Link]

Privileged ports keep those pesky users off of the ports where you run your servers.

User namespaces progress

Posted Jan 3, 2013 16:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

And forces you to run daemons under the freaking root user. Great improvement, yes.

User namespaces progress

Posted Jan 3, 2013 17:18 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

Err, no. They can change their uid away after start without any problems. Or they can get an additional CAP_NET_BIND_SERVICE without all the rest of root's powers.

User namespaces progress

Posted Jan 3, 2013 17:21 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Ok. I have a Java application that needs to listen on port 80.

How do I do it? I've actually tried multiple ways and all of them failed.

User namespaces progress

Posted Jan 3, 2013 17:40 UTC (Thu) by man_ls (subscriber, #15091) [Link]

Have you tried setcap?

setcap 'cap_net_bind_service=+ep' /path/to/program

It worked for me but it was not Java; in your case run setcap for the java binary.

User namespaces progress

Posted Jan 3, 2013 19:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

And now all Java programs have this privilege. Which is not that bad, since this restriction is brain-dead in the first place. But it also breaks during updates and is totally non-transparent (NOBODY checks file caps).

You might actually notice that I have an answer in the thread you've linked: http://stackoverflow.com/a/7701793/625001 However, while it works for erlang it somehow fails for Java. Don't ask me why.

User namespaces progress

Posted Jan 3, 2013 17:44 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

It depends a bit on how you want to start java, but in general you can do stuff like:
$ nc -l 234
nc: Permission denied
$ cp `which nc` /tmp/nc && sudo setcap cap_net_bind_service+ep /tmp/nc
$ /tmp/nc -l 234
^C

In many scenarios you probably will end up using something like capsh or pam-cap.

User namespaces progress

Posted Jan 3, 2013 19:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

By copying a binary.

Beautiful. Not.

> In many scenarios you probably will end up using something like capsh or pam-cap.
I'll gladly send you a beer if you can give me a command line that actually works. I have tried all sorts of capsh command variations, but NONE of them works.

User namespaces progress

Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

> By copying a binary.
> Beautiful. Not.

I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.

> In many scenarios you probably will end up using something like capsh or pam-cap.

libpam-cap is probably easier for you:
apt-get install libpam-cap
pam-auth-update (enable "capabilities management")
sensible-editor /etc/security/capability.conf
# add "cap_net_bind_service cyberax"

It should be rather similar for other distributions.

Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
andres@alap2:~$ sudo -u andres nc -l 434
^C

User namespaces progress

Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.

User namespaces progress

Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

Hm, I don't really see that as a problem. But anyway:

sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"

Yes. Ugly. But it works. (capsh is/was a demo tool)

User namespaces progress

Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Doesn't work with Java, just tried it on my system (it's Debian Stable).

User namespaces progress

Posted Jan 3, 2013 7:57 UTC (Thu) by ebiederm (subscriber, #35028) [Link]

When entering a user namespace you drop privileges.

The best way I can explain it is to describe an April Fool's day joke that you can play on your friendly local sysadmin.

Create a binary and call it something like $HOME/bin/su. Have that binary
call unshare(CLONE_NEWUSER) and write to /proc/[pid]/uid_map and /proc/[pid]/gid_map so that 0 in the current user namespace maps to the current uid and gid. Have this binary exec $SHELL. No privileges required.

Report that su is working without requiring root privileges in your account.

You can look around in /proc/self/status and see that your uid and gid are 0 and that you have all privs.

Extra points if you can get your local sysadmin to start trying to do things and from your $HOME/bin/su, because things really won't work and if you don't realize what is going on you are likely to be quite frustrated.
Services won't restart. You can't kill processes owned by other users etc.

Having a pam module set it up so that the user that looks like root has a distinct uid from everyone else is trickier to setup but could be more entertaining.

So while you have CAP_NET_BIND and can bind to any port in any network namespace you create, creating a network namespace won't do you much good because that network namespace is not connected to any other network namespace.