LWN.net Logo

User namespaces progress

User namespaces progress

Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562)
In reply to: User namespaces progress by Cyberax
Parent article: User namespaces progress

> By copying a binary.
> Beautiful. Not.

I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.

> In many scenarios you probably will end up using something like capsh or pam-cap.

libpam-cap is probably easier for you:
apt-get install libpam-cap
pam-auth-update (enable "capabilities management")
sensible-editor /etc/security/capability.conf
# add "cap_net_bind_service cyberax"

It should be rather similar for other distributions.

Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
andres@alap2:~$ sudo -u andres nc -l 434
^C


(Log in to post comments)

User namespaces progress

Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.

User namespaces progress

Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

Hm, I don't really see that as a problem. But anyway:

sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"

Yes. Ugly. But it works. (capsh is/was a demo tool)

User namespaces progress

Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Doesn't work with Java, just tried it on my system (it's Debian Stable).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds