Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [userns]

User namespaces or short `userns` is a facility that allows a sub-namespace to have its own set of UIDs and GIDs. This allows to use the least privilege principle for LXC containers, but it's not limited to that use case.

Summary

The Linux kernel allows certain resources to be confined to a namespace. The practical use for this are mostly containers in the LXC sense (see ). However, it is also possible to start a single program and limit its view on the system (check out the man page for unshare).

User namespaces (userns) have been one of the long-awaited features for LXC, since they allow to map an unprivileged user on the host to a range of UIDs in the container and the respective GID accordingly to a range of GIDs. Since the container's processes, network, host name and so on are also confined to their child namespace, this effectively means one can run a full-fledged LXC container from an unprivileged host system account, thus limiting the scope of potential security breaches.

The main goal of userns is to allow the mapping of a UID (and GID) from the parent namespace into a range of UIDs (and GIDs) in the child namespace. So if you have a user account joe which is an ordinary unprivileged user on your system, this user could - provided the LXC container is prepared accordingly - run a container and inside the container could act as root within the boundaries of the namespace, not affecting the host adversely. The kernel would still ensure that all those processes that on the host appear to run as joe would not be able to do anything fancy with block devices and so on - access would be allowed purely on the basis of joe's permissions on the host, while inside the container files would still be owned by root (and whatever users get created there) and permission would be granted or denied based on the joe's permissions in the parent namespace and then inside the container based on the respective UIDs/GIDs as they appear from inside the container.

So in a sense namespaces (not just userns) provide a confined view of system resources, allowing fine-grained and secure jailing.

References

25 questions
21
votes
2 answers

What is an unprivileged LXC container?

What does it mean if a Linux container (LXC container) is called "unprivileged"?
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
14
votes
1 answer

Why can't I bind-mount "/" inside a user namespace?

Why doesn't this work? $ unshare -rm mount --bind / /mnt mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error. These work ok: $ unshare -rm mount --bind /tmp /mnt $ unshare -rm mount --bind…
sourcejedi
  • 48,311
  • 17
  • 143
  • 296
13
votes
1 answer

Is there a tool(!) to list assigned subuid and subgid values for users?

usermod -v (--add-sub-uids) and usermod -w (--add-sub-gids) can be used to manipulate the subuid and subgid ranges for a user account, but there appears to be no tool that can merely list them. Is there one? At least on my Ubuntu 14.04 box getent…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
12
votes
1 answer

How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)

My Linux kernel must have been configured with user_namespaces when built, but their use is restricted after boot and has to be explicitly enabled. Which sysctl should I use? (If this was turned on, this would allow to run an isolation command like…
imz -- Ivan Zakharyaschev
  • 15,113
  • 15
  • 61
  • 123
9
votes
5 answers

How can I list all connections to my host, including those to LXC guests?

I tried both netstat and lsof, but it appears it's not possible to see the connections to my LXC guests. Is there a way to achieve this ... for all guests at once? Essentially what throws me off here is the fact that I can see the processes of the…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
8
votes
1 answer

userns container fails to start, how to track down the reason?

When creating a userns (unprivileged) LXC container on Ubuntu 14.04 with the following command line: lxc-create -n test1 -t download -- -d $(lsb_release -si|tr 'A-Z' 'a-z') -r $(lsb_release -sc) -a $(dpkg --print-architecture) and (without touching…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
7
votes
1 answer

Mounting Overlayfs in a user namespace

Is it possible to mount an Overlayfs filesystem as an unprivileged user in a user namespace in Linux kernels >4.3.3; it seems that the fix to this vulnerability has blocked this functionality entirely. When I create a new user namespace with…
Josh Hebert
  • 171
  • 2
7
votes
2 answers

How to influence the assignment of subordinate UIDs/GIDs when creating user accounts?

To my knowledge the subordinate UIDs and GIDs are assigned to accounts in such a manner that they form a contiguous range. The range starts at 100000 by default and probably stretches to the theoretical maximum value for a UID/GID (even though I…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
7
votes
1 answer

Subordinate GIDs/UIDs with LXC and userns for unprivileged user?

When using userns (via LXC in my case), you assign a range of subordinate GIDs and UIDs to an unprivileged user. See for resources: subuid(5), subgid(5), newuidmap(1), newgidmap(1), user_namespaces(7). That range can then be used and will via userns…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
7
votes
3 answers

Migrate an unprivileged LXC container between users

I have an Ubuntu 14.04 server installation which acts as an LXC host. It has two users: user1 and user2. user1 owns an unprivileged LXC container, which uses a directory (inside /home/user1/.local/...) as backing store. How do I make a full copy of…
agdev84
  • 91
  • 1
  • 2
5
votes
4 answers

Building unprivileged (userns) LXC container from scratch, by migrating a privileged container to be unprivileged

How can I build a privileged LXC (1.0.3) container (that part I know) and then migrate it successfully to be run unprivileged? That is, I'd like to debootstrap it myself or adjust the lxc-ubuntu template (commonly under /usr/share/lxc/templates) in…
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
3
votes
1 answer

How do I enable unprivileged_userns_clone selectively for one executable or user?

How do I enable CLONE_NEWUSER in a more fine-grained fashion compared to just kernel.unprivileged_userns_clone? I want to keep kernel API attack surface manageable by keeping new and complicated things like non-root CAP_SYS_ADMIN or BPF disabled,…
Vi.
  • 5,528
  • 7
  • 34
  • 68
3
votes
1 answer

Ping not working in a new C container

I've been working on writing my own Linux container from scratch in C. I've borrowed code from several places and put up a basic version with namespaces & cgroups. Basically, I clone a new process with all the CLONE_NEW* flags to create new…
Shabirmean
  • 135
  • 7
3
votes
1 answer

What makes firefox inside a container launch a new firefox window outside on the host with the UID of the host user? Isn't it weird for an LXC?

Can someone please explain this weird behaviour to me: I have an unpriviliged LXC container with firefox inside. If firefox is running on the host outside of the container, /usr/bin/firefox inside the container launches a new firefox window outside…
MCH
  • 489
  • 4
  • 15
3
votes
1 answer

Why can't a UID 0 process hardlink to SUID files in a user namespace?

Consider the following transcript of a user-namespaced shell running with root privileges (UID 0 within the namespace, unprivileged outside): # cat /proc/$$/status | grep CapEff CapEff: 0000003cfdfeffff # ls -al total 8 drwxrwxrwx 2 root root …
dst
  • 141
  • 5
1
2