c - Why is unprivileged recursive unshare(CLONE_NEWUSER) not permitted? -


i'm on ubuntu 17.04.

single unprivilleged unshare of mount namespace works. can try using unshare(1) command:

$ unshare -m -u /bin/sh #

however unshare within unshare not permitted:

$ unshare -m -u /bin/sh # unshare -m -u /bin/sh unshare: operation not permitted #

here c program same:

#define _gnu_source #include <stdio.h> #include <sched.h> #include <sys/mount.h> #include <unistd.h>  int main(int argc, char *argv[]) {     if(unshare(clone_newuser|clone_newns) == -1) {         perror("unshare");         return -1;     }     if(unshare(clone_newuser|clone_newns) == -1) {         perror("unshare2");         return -1;     }     return 0; }

why it's not permitted? can find documentation this? failed find information in unshare or clone man page , in kernel unshare documentation.

is there system setting allow this?

what want achieve:

first unshare: want mask few binaries on system own versions.

second unshare: unprivilleged chroot.

i'm guessing here, think reason uid mapping. in order perform it, conditions must met (from user_namespaces man page):

   in  order   process write /proc/[pid]/uid_map (/proc/[pid]/gid_map) file, of following require‐    ments must met:     1. writing process must have cap_setuid (cap_setgid) capability in user namespace of process pid.     2. writing process must either in user namespace of process pid or in parent  user  namespace  of       process pid.     3. mapped user ids (group ids) must in turn have mapping in parent user namespace.

i believe happens first time run, mapping matches of parent uid. second time, however, not, , fails system call.

from unshare(2) manual page:

   eperm  clone_newuser specified in flags, either effective user id or effective group id of   caller           not have mapping in parent namespace (see user_namespaces(7)).

Comments

Post a Comment

Popular posts from this blog

resizing Telegram inline keyboard -

telegram's inline keyboard great feature lots of different use cases. inline buttons added list of items this: inline_keyboard = [[inlinekeyboardbutton(text="button", callback_data="button"), inlinekeyboardbutton(text="reset",callback_data="reset")]] inline_keyboard_markup = inlinekeyboardmarkup(inline_keyboard) update.message.reply_text("hi", reply_markup=inline_keyboard_markup) the above code adds 2 buttons each half width of chat screen. i know the normal keyboard button there resize_keyboard parameter somehow can used. my question is there way resize inline buttons ? example make full width or quarter width. unfortunately, can't now. :( you can suggest @botsupport , might add feature next version.
Read more

command line - How can a Python program background itself? -

consider following python command-line program. doesn't work because incomplete, think illustrates problem: #!/usr/bin/python3 import multiprocessing pool = multiprocessing.pool() task in expensive_iterator_with_user_interaction(): pool.call_async(expensive_computation, (task,)) pool.close() print("dear user, may press ctrl-z , bg script.") pool.join() thus, problem scripts needs user input while it's launching expensive parallel processes. there moment when user interaction not needed anymore. then, ask user background process shell actions. however, can achieved program itself? (side note: core of problem entanglement of user input firing “expensive computations”. therefore, cannot separate both in 2 scripts, , letting 1 spawning other daemon.) the command screen may you. use screen -l create new session , run application. after inputting data, can press " ctrl-a " , press " d " on keyboard detach session. now
Read more

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -

Image
my wordpress installation on azure app service on linux using custom docker container has slow response times. pages take around 20-40 seconds load. i have troubleshooting plugin installed indicates problem "curl error 28: resolving timed out after n milliseconds" when making requests following urls https://api.wordpress.org/core/version-check/1.7/ http://api.wordpress.org/core/version-check/1.7/ https://api.wordpress.org/plugins/update-check/1.1/ http://api.wordpress.org/plugins/update-check/1.1/ https://api.wordpress.org/themes/update-check/1.1/ http://api.wordpress.org/themes/update-check/1.1/ curl works fine on scm-site command line. example works ok. curl -x post http://api.wordpress.org/core/version-check/1.7/ edit if ssh container , run php code, works fine. <?php $url = 'http://api.wordpress.org/core/version-check/1.7/'; $fields = array( 'version' => urlencode('4.8.1'), 'php' => urlencode(
Read more