Web File Browser

Linux Fu: Don’t Share Well with Others

0
By on Linux


[ad_1]

In kindergarten, you learn to share. But for computer security, sharing is often a bad thing. The Linux kernel introduced the concept of namespaces starting with version 2.6.24. It’s been a few years ago, but namespaces aren’t used by many even though the tools exist to manipulate them. Granted, you don’t always need namespaces, but it’s one of those things that when you need it, the capacity is invaluable. In summary, namespaces allow you to give a process its own private resources and, more importantly, prevent a process from seeing resources in other namespaces.

Turns out you use namespaces all the time because every process you run lives in a set of namespaces. I say set because there are a number of namespaces for different resources. For example, you can define a different network namespace to give a process its own set of networking elements, including route tables, firewall rules, and everything else related to the network.

So let’s see how Linux doesn’t share names.

The possible namespaces are:

  • Mount – File system mounts. It is possible to share mounts with other namespaces, but you must do so explicitly.
  • UTS – This namespace controls things like host name and domain name.
  • IPC – A program with a separate IPC namespace will have its own message queues, semaphores, shared memory, and other elements of interprocess communication.
  • Network – The processes in the namespace will have their own networking stacks and associated configurations.
  • PID – Processes in a PID namespace cannot see other processes outside the namespace.
  • Cgroup – A namespace that provides a virtualized view of cgroup mounts for CPU management.
  • User – Individual users, groups, etc.

Obviously, some of them are more useful than others. It is easy to see, however, that if you had a system of cooperative programs, you might find it interesting to create a private space for IPC or networking between them.

Go to Shell

If you want to experiment with namespaces from the shell, you can use unshare. The name might sound strange, but the command gets its name from the fact that a new process usually shares its parent’s namespaces. the unshare The command allows you to create new namespaces.

A key characteristic or quirk of unshare is that, by default, it runs a program with the newly created namespaces, but it does not associate that program with those namespaces. Instead, the new namespaces go to all children created by the program. You can add a –fork option to make it work better as you expect.

For example, let’s start a new shell in its own private Idaho:

sudo unshare --pid --fork --mount-proc /bin/bash
ps alx

If you try this command without a separate namespace, you will get a long list of processes. But the output inside our new namespace is much smaller:

F   UID     PID    PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND 
4     0       1       0  20   0  10820  4376 -      S    pts/6      0:00 /bin/bash 
0     0       9       1  20   0  12048  1168 -      R+   pts/6      0:00 ps alx

You have to think a bit about how the different utilities work. For example, ps bed of /proc so if we have not provided --mount-proc, it would still display all major processes. (Try it.) You wouldn’t be able to interact with them, but since you can read /proc, you would always see them. the --mount-proc the flag is really just a shortcut for --mount (to get a new mount namespace), and then mounting the proc file system.

By omitting the fork The option will cause the shell to behave oddly because the shell usually starts new processes which will now be a different namespace than your main process.

If you add a filename to most arguments (like --pid Where --mount), you can create a persistent namespace that you share between processes. You can also use virtual Ethernet adapters (veth type) or a network bridge to expose a network in one namespace to another.

Supports and more options

Another useful isolation is found in the assembly table. Linux handles mounts a little differently. There are several ways you can cause mounts to propagate. If you want full privacy you can do that, but you can also share within a group or track changes in other groups but not propagate your own changes. You can read more on the man page.

An interesting thing is that since the namespaces are isolated, it is possible for a normal user to have near-root privileges in the new namespaces. the --map-root-user allows this and also activates an option to deny users to call setgroups which could allow them to obtain high authorizations.

There is more, of course. If you have util-linux installed, just ask for the unshare man page for more information. If you want to use these things in a program, which is probably easier to imagine, there is a unshare system call. Use man 2 unshare to see the details. Note that you can exercise even more control with the system call. For example, you can unlink the file system. It is closely related to the clone system call which is sort of a super version of fork.

You might find it interesting that all the namespace data for a process is displayed in /proc. For example, try:

sudo ls -l /proc/$$/ns/*

You will see specialized symbolic links with information about the different namespaces for the current process. For example:

lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/net -> 'net:[4026531992]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/time -> 'time:[4026531834]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/time_for_children -> 'time:[4026531834]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/user -> 'user:[4026531837]'
lrwxrwxrwx 1 alw alw 0 Dec 8 07:29 /proc/2182630/ns/uts -> 'uts:[4026531838]'

It’s one of those Linux-isms that is somewhat obscure but can be very useful when you need it. Even if you don’t need it right now, it’s worth understanding as it just might solve your next development challenge. Of course, you can run your program in its own virtual machine, but that’s a pretty cumbersome option compared to just isolating what you want in a clean and simple way. Even from a shell script.

[ad_2]

Related posts:

  1. Linux: create snap packages for your own applications
  2. How to manually add software repositories in Linux
  3. Slimbook Executive is a 14 inch lightweight laptop with Windows or Linux (or both)
  4. How to get the universal control feature of macOS Monterey on Windows and Linux
Share.

About Author

Comments are closed.