[Toybox] unshare/nsenter and flags

Yifan Hong elsk at google.com
Fri May 10 16:46:57 PDT 2024 

I am running all commands as a non-root user. Here are the two commands I
run:

strace ./toybox unshare --mount --map-root-user --user /bin/bash -c 'echo'
2>&1 | tee /tmp/user.txt
strace ./toybox unshare --mount --map-root-user /bin/bash -c 'echo' 2>&1 |
tee /tmp/no_user.txt
strace unshare --mount --map-root-user /bin/bash -c 'echo' 2>&1 | tee
/tmp/no_user_linux.txt

Here are how the strace's approximately look like. I do not need sudo to
run these commands in my environment.

On Fri, May 10, 2024 at 7:56 AM Rob Landley <rob at landley.net> wrote:

> Ok, cycling back to this...
>
> On 5/2/24 21:51, enh wrote:
> >> > it seems like -r _doesn't_ actually imply -U in practice (and they
> >> > seemed to have strace output to prove it).
> >>
> >> So... should it?
> >
> > i think so? i have no idea about any of this, but
> > https://man7.org/linux/man-pages/man1/unshare.1.html says
> >
> >        -r, --map-root-user
> >            Run the program only after the current effective user and
> >            group IDs have been mapped to the superuser UID and GID in
> >            the newly created user namespace. This makes it possible to
> >            conveniently gain capabilities needed to manage various
> >            aspects of the newly created namespaces (such as configuring
> >            interfaces in the network namespace or mounting filesystems
> >            in the mount namespace) even when run unprivileged. As a mere
> >            convenience feature, it does not support more sophisticated
> >            use cases, such as mapping multiple ranges of UIDs and GIDs.
> >            This option implies --setgroups=deny and --user. This option
> >            is equivalent to --map-user=0 --map-group=0.
> >
> > which sounds like it supports the toybox documentation rather than the
> > toybox source?
> >
> >> What did they try to do, and what did they _want_ to happen?
> >
> > unshare --mount --map-root-user /bin/sh -c "mount --bind $A $B"
>
> Running that as my normal user gave EPERM on the unshare(CLONE_NEWNS)
> which is
> the reason I haven't poked at this more. (To be useful, it seems like it
> probably needs to be setuid and then drop permissions after unsharing
> stuff, and
> I need to come up to speed on the security implications of that and
> possibly
> write a "contain" command with as little novelty as possible. Which is not
> a can
> of worms I want to open without a clear desk...)
>
> Running it under sudo I got:
>
> openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
> write(3, "deny", 4)                     = -1 EPERM (Operation not
> permitted)
>
> > they looked at strace for toybox and saw
> >
> > unshare(CLONE_NEWNS)                    = -1 EPERM (Operation not
> permitted)
> >
> > but for the util-linux one they saw
> >
> > unshare(CLONE_NEWNS|CLONE_NEWUSER)      = 0
>
> Are they root or a normal user? Because adding -U to the above command
> line I got:
>
> geteuid()                               = 1000
> getegid()                               = 1000
> unshare(CLONE_NEWNS|CLONE_NEWUSER)      = -1 EPERM (Operation not
> permitted)
>
> But with sudo, that succeeded and adding an ls -l to the bash command yes
> it did
> the bind mount, which is gone again when it exits.
>
> >> The "22.04" means it came out two years and one month ago, and that's
> what
> >> they're migrating me TO. So, you know, I can presumably feel less bad
> about my
> >> laptop...
> >
> > (to be fair, until _last week_ that was the current LTS release :-)
> > but, yeah, odd timing unless they deliberately like to be on the
> > previous LTS release! i'll throw no stones as long as i'm living so
> > close to the Android build server glass house though...)
>
> Got about half my laptop tabs closed so far! Working towards a reboot...
>
> Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20240510/5c7ee0cc/attachment.htm>
-------------- next part --------------
execve("./toybox", ["./toybox", "unshare", "--mount", "--map-root-user", "/bin/bash", "-c", "echo"], 0x7ffc27eb23a0 /* 65 vars */) = 0
[...redacted...]
geteuid()                               = 406530
getegid()                               = 89939
unshare(CLONE_NEWNS)                    = -1 EPERM (Operation not permitted)
write(2, "unshare: ", 9unshare: )                = 9
write(2, "Operation not permitted", 23Operation not permitted) = 23
write(2, "\n", 1
)                       = 1
exit_group(1)                           = ?
+++ exited with 1 +++
-------------- next part --------------
execve("./toybox", ["./toybox", "unshare", "--mount", "--map-root-user", "--user", "/bin/bash", "-c", "echo"], 0x7ffdb0eb1178 /* 65 vars */) = 0
[...redacted...]
geteuid()                               = 406530
getegid()                               = 89939
unshare(CLONE_NEWNS|CLONE_NEWUSER)      = 0
openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
write(3, "deny", 4)                     = 4
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY|O_CLOEXEC) = 3
write(3, "0 406530 1", 10)              = 10
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY|O_CLOEXEC) = 3
write(3, "0 89939 1", 9)                = 9
close(3)                                = 0
execve("/bin/bash", ["/bin/bash", "-c", "echo"], 0x7ffd8a3d1120 /* 65 vars */) = 0
[...redacted...]
+++ exited with 0 +++
-------------- next part --------------
execve("/usr/bin/unshare", ["unshare", "--mount", "--map-root-user", "/bin/bash", "-c", "echo"], 0x7ffe5231d1b8 /* 65 vars */) = 0
[...redacted...]
geteuid()                               = 406530
getegid()                               = 89939
getrandom("\xc6\xd9\xb8\x10\x25\x28\x8b\x2a", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x558be3242000
brk(0x558be3263000)                     = 0x558be3263000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=3052896, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 3052896, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe9e7800000
close(3)                                = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[CHLD], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fe9e7b86510}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
unshare(CLONE_NEWNS|CLONE_NEWUSER)      = 0
openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY) = 3
write(3, "0 406530 1", 10)              = 10
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
write(3, "deny", 4)                     = 4
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY) = 3
write(3, "0 89939 1", 9)                = 9
close(3)                                = 0
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
execve("/bin/bash", ["/bin/bash", "-c", "echo"], 0x7ffd42094720 /* 65 vars */) = 0
[...redacted...]
+++ exited with 0 +++

More information about the Toybox mailing list