| |||||||||||||
User namespaces progressUser namespaces progressPosted Jan 3, 2013 16:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)In reply to: User namespaces progress by ebiederm Parent article: User namespaces progress
And forces you to run daemons under the freaking root user. Great improvement, yes.
(Log in to post comments)
User namespaces progress Posted Jan 3, 2013 17:18 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
Err, no. They can change their uid away after start without any problems. Or they can get an additional CAP_NET_BIND_SERVICE without all the rest of root's powers.
User namespaces progress Posted Jan 3, 2013 17:21 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Ok. I have a Java application that needs to listen on port 80.
How do I do it? I've actually tried multiple ways and all of them failed.
User namespaces progress Posted Jan 3, 2013 17:40 UTC (Thu) by man_ls (subscriber, #15091) [Link] Have you tried setcap?setcap 'cap_net_bind_service=+ep' /path/to/programIt worked for me but it was not Java; in your case run setcap for the java binary.
User namespaces progress Posted Jan 3, 2013 19:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
And now all Java programs have this privilege. Which is not that bad, since this restriction is brain-dead in the first place. But it also breaks during updates and is totally non-transparent (NOBODY checks file caps).
You might actually notice that I have an answer in the thread you've linked: http://stackoverflow.com/a/7701793/625001 However, while it works for erlang it somehow fails for Java. Don't ask me why.
User namespaces progress Posted Jan 3, 2013 17:44 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
It depends a bit on how you want to start java, but in general you can do stuff like:
$ nc -l 234 nc: Permission denied $ cp `which nc` /tmp/nc && sudo setcap cap_net_bind_service+ep /tmp/nc $ /tmp/nc -l 234 ^C
In many scenarios you probably will end up using something like capsh or pam-cap.
User namespaces progress Posted Jan 3, 2013 19:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
By copying a binary.
Beautiful. Not.
> In many scenarios you probably will end up using something like capsh or pam-cap.
User namespaces progress Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
> By copying a binary.
> Beautiful. Not.
I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.
> In many scenarios you probably will end up using something like capsh or pam-cap.
libpam-cap is probably easier for you:
It should be rather similar for other distributions.
Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
User namespaces progress Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.
User namespaces progress Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
Hm, I don't really see that as a problem. But anyway:
sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"
Yes. Ugly. But it works. (capsh is/was a demo tool)
User namespaces progress Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Doesn't work with Java, just tried it on my system (it's Debian Stable).
|
|||||||||||||