I am trying to comprehend some man7.org documentation about the User Namespace and the /bin/unshare command. I started by reading this page: https://man7.org/linux/man-pages/man7/user_namespaces.7.html On the page, there is a lot of mention of how the CLONE_NEWUSER flag can affect privileges and capabilities.  But it is unclear to me whether unshare -U /bin/bash or unshare -U -r /bin/bash uses CLONE_NEWUSER in any way. So I visited unshare(1) next to see if there is any explanation of the CLONE_NEWUSER flag usage in the /bin/unshare command.  But there is no discussion about CLONE_NEWUSER on this page. However, there is discussion about the CLONE_NEWUSER flag on the system call unshare(2) .  But it is unclear to me how the /bin/unshare is related to unshare(2) or if they are even related at all. Can anyone explain the relationship between /bin/unshare -U /bin/bash and CLONE_NEWUSER and unshare(2)? ---- Note: I am a front end HTML CSS developer trying to learn all this for the first time.  I welcome references to any reading material to address gaps in knowledge about Linux basics.

rsync supports --chown, but you need something like podman unshare in order for it to correctly deal with subuids. How can I combine those (on a remote host) ?

I'm aware of unshare -m creates a new mount namespace moving the process executing it into the new mount namespace being created. The latter gets a *copy* of parent's mount namespace. Indeed look at the following root@ubuntu:~# cat /proc/self/mountinfo 25 31 0:23 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw 26 31 0:24 / /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw 27 31 0:5 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=4008708k,nr_inodes=1002177,mode=755,inode64 28 27 0:25 / /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000 29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs rw,size=812844k,mode=755,inode64 31 1 8:2 / / rw,relatime shared:1 - ext4 /dev/sda2 rw 32 25 0:6 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - securityfs securityfs rw 33 27 0:28 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw,inode64 34 29 0:29 / /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs rw,size=5120k,inode64 35 25 0:30 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:9 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot 36 25 0:31 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:10 - pstore pstore rw 37 25 0:32 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:11 - bpf bpf rw,mode=700 38 26 0:33 / /proc/sys/fs/binfmt_misc rw,relatime shared:13 - autofs systemd-1 rw,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=17383 39 27 0:20 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:14 - mqueue mqueue rw 40 27 0:34 / /dev/hugepages rw,relatime shared:15 - hugetlbfs hugetlbfs rw,pagesize=2M 41 25 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:16 - debugfs debugfs rw 42 25 0:12 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime shared:17 - tracefs tracefs rw ---------------------------- output omitted ------------------------------------------ root@ubuntu:~# root@ubuntu:~# unshare -m /bin/bash root@ubuntu:~# root@ubuntu:~# cat /proc/self/mountinfo 714 713 8:2 / / rw,relatime - ext4 /dev/sda2 rw 715 714 0:5 / /dev rw,nosuid,relatime - devtmpfs udev rw,size=4008708k,nr_inodes=1002177,mode=755,inode64 716 715 0:25 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000 719 715 0:28 / /dev/shm rw,nosuid,nodev - tmpfs tmpfs rw,inode64 720 715 0:20 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw 725 715 0:34 / /dev/hugepages rw,relatime - hugetlbfs hugetlbfs rw,pagesize=2M 726 714 0:26 / /run rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,size=812844k,mode=755,inode64 739 726 0:29 / /run/lock rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,size=5120k,inode64 740 726 0:36 / /run/credentials/systemd-sysusers.service ro,nosuid,nodev,noexec,relatime - ramfs none rw,mode=700 741 726 0:26 /snapd/ns /run/snapd/ns rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,size=812844k,mode=755,inode64 742 726 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,size=812844k,mode=755,inode64 743 726 0:46 / /run/user/1000 rw,nosuid,nodev,relatime - tmpfs tmpfs rw,size=812840k,nr_inodes=203210,mode=700,uid=1000,gid=1000,inode64 744 714 0:23 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw 745 744 0:6 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime - securityfs securityfs rw 746 744 0:30 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot 747 744 0:31 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime - pstore pstore rw 748 744 0:32 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime - bpf bpf rw,mode=700 814 744 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime - debugfs debugfs rw 815 744 0:12 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime - tracefs tracefs rw ---------------------------- output omitted ------------------------------------------ root@ubuntu:~# The outputs are slightly different, even though the mountpoint's parent-child dependencies are the same (different Ids in the first two columns are expected since mount namespaces are not the same). Now the question is: is there a reason behind the different order in which the mountpoints are actually shown ?

If I try to create namespaces, basename complains about missing operand: sudo unshare --mount --ipc --uts --pid --fork --user /bin/bash basename: missing operand Try 'basename --help' for more information. I even tried with bash --norc with no luck. Why does this error occur? And how do I fix it? ## UPDATE 1 When I said that "I even tried with bash --norc with no luck." I meant that I run bash --norc and then sudo unshare.... but that it works: sudo unshare --mount --ipc --uts --pid --fork --user /bin/bash --norc --noprofile I wonder anyway why. Because I have basename in .bashrc only into functions, and disabling those functions it outputs the same error

I'm using unshare to create per process mounts, which is working perfectly fine by unshare -m --map-root-user However, after having created my bind-mounts by mount --bind src dst I want to change the UID to my original user, so that whoami (and others) echoes my username like echo $USER does. I have already tried the answer of https://unix.stackexchange.com/questions/66084/simulate-chroot-with-unshare/303660 However, doing su – user1 after chroot /, I get su: Authentication failure (Ignored) setgid: Invalid argument I have tested this on Ubuntu 18.04 Beta, Debian stretch, openSUSE-Leap-42.3. It's all the same. I guess something has changed in the kernel since this answer was working. What is a working and correct way to do that (of course without beeing **real** root)?

I'm developing a remote desktop/streaming program for linux. When a user logs in, they specify a program to launch, and the remote server launches that program as a new process. The server process acts as a wayland compositor, so the child process runs offscreen (from the perspective of any other user on the server), and gets its input from the compositor. This works well for simple applications, but many desktop applications like Steam (which is an important one for this use case) use (I think) dbus to check if there's an existing instance of steam running, and if there is, they switch to it. So simply fork/exec'ing the process doesn't work if there is already a window open. I've tried using unshare(2) to create a mount namespace for each child, and then mounting something over /run to hide dbus. I haven't been successful in this approach yet. Containerization is the obvious general approach here, both for isolation and providing some minor security benefits. However, I'd prefer that the server process be standalone, rather than requiring e.g. Docker or lxd to be running alongside it. I don't care that much about security - or rather, the solution to this problem does not necessarily have to prevent container escapes or similar attacks. What linux-friendly technologies or kernel features would be good for this problem and reasonably easy to implement in a C/Rust program?

I have 2 files: /MyDir/a and /MyDir/MySubDir/b and am running a bash script, to which I want to add code to make file /a point to file /b, but only in the current process and its descendants. In hopes of making /MyDir/a point to /MyDir/MySubDir/b in the context of only the current process (not including its descendants, yet) I tried to first make the current process run in its own mount namespace by running a small C program in my script that performs unshare(CLONE_NEWNS) and then mount --bind /MyDir/MySubDir/b /MyDir/a. Unfortunately, this didn't work as I expected since the mount was still visible by other processes, despite the system call reporting success. In another attempt, I tried to make the mount from the C code by calling mount("/MyDir/a", "/MyDir/MySubDir/b", "ext3", MS_BIND, null) But this didn't work as the mount didn't take effect at all (despite the call reporting success). Is there a way of making /MyDir/a point to /MyDir/MySubDir/b in the context of only the current process and its descendants using a bash script? I also read a little about chroot, but this applies only to the / directory... Is there anything similar to chroot that applies only to a particular subdirectory? Thanks for your time!

I am following Container from scratch by Kevin Boone I have alpine mini root filesystem under /mnt/container/ I am a little puzzled about how the mount works with chroot and unshare involved. Without unshare if we do

chroot /mnt/container /bin/sh -l

we get a container(kind of) with its "/" (root) at host machine's /mnt/container. Inside the container if we run the following command;

mount -t proc proc /proc >& /dev/null
mount -t devtmpfs dev /dev/ >& /dev/null

we see that we have mounted the host system's /proc and /dev and hence we can see the processes that are running on the host with ps -ef and can create a file in /dev as well which will be created on the host. This is expected because there is still no namespace isolation. To create the namespace isolation we do;

unshare -mpfu chroot /mnt/container /bin/sh -l

and then inside the container we run

mount -t proc proc /proc >& /dev/null
mount -t devtmpfs dev /dev/ >& /dev/null

This time ps -ef will show only two processes that are inside the container. What I understand(correct me if I am wrong) is that mount -t proc proc /proc >& /dev/null did not mount the /proc of host system, but created a new directory /proc of type procfs, hence Isolation. But, and this is the question, /dev inside the container is still the same /dev of the host. I can still create files inside /dev and it shows up on host machine. Why is /dev not isolated like /proc?

I run unshare -r touch file. However, unshare -r chown nobody file gives me Invalid argument. Why?

From everything I have read in the unshare and nsenter man pages, I should be able to bind-mount a directory to itself, mount --make-private the directory, and then use files within that directory to hold refs for persistent namespaces. Here is what I'm doing, basically the same as the man unshare but with different directories and using --pid=file in addition to --mount=file # Terminal 1:

# mkdir -p /mnt/jails/debian/bookworm/.ns
# mount --bind /mnt/jails/debian/bookworm/.ns /mnt/jails/debian/bookworm/.ns
# touch /mnt/jails/debian/bookworm/.ns/{mount,pid}
# mount --make-private /mnt/jails/debian/bookworm/.ns
# unshare --fork --mount-proc --mount=/mnt/jails/debian/bookworm/.ns/mount --pid=/mnt/jails/debian/bookworm/.ns/pid /bin/sh & echo $!; fg
 151299
151299
sh-4.4# echo $$
1
sh-4.4# grep NS /proc/self/status
NStgid:	3
NSpid:	3
NSpgid:	3
NSsid:	0

So far so good, the container above is working. While that runs: # Terminal 2:

# nsenter  --mount=/mnt/jails/debian/bookworm/.ns/mount --pid=/mnt/jails/debian/bookworm/.ns/pid /bin/sh
sh-4.4# ps ax
Error, do this: mount -t proc proc /proc
# ls /proc/1/exe -l
lrwxrwxrwx. 1 root root 0 Jul 21 18:49 /proc/1/exe -> /usr/bin/bash
sh-4.4# mount -t proc proc /proc
sh-4.4# ps ax|head

sh-4.4# grep NS /proc/self/status
NStgid:	156987
NSpid:	156987
NSpgid:	156987
NSsid:	156921

I've also tried this in Terminal 2 (note the pid from Terminal 1) with the exact same results:

# nsenter -t 151299 -a  /bin/sh
sh-4.4# ps ax
Error, do this: mount -t proc proc /proc
# ls /proc/1/exe -l
lrwxrwxrwx. 1 root root 0 Jul 21 18:49 /proc/1/exe -> /usr/bin/bash
sh-4.4# mount -t proc proc /proc
sh-4.4# ps ax|head

sh-4.4# grep NS /proc/self/status
NStgid:	155356
NSpid:	155356
NSpgid:	155356
NSsid:	143538

For some reason nsenter is entering the host OS's pid space, however it does seem to see a the namespace of the correct /proc directory, but it is invalid for sh in terminal2 because the pid namespace isn't working so (I think) thats why ps ax gives an error. Also I've tried both with and without --mount-proc # Questions: How can I enter the PID namespace from Terminal 1? What am I doing wrong here? (Host linux kernel is 5.18 running Oracle Linux 8.)

When using unshare --pid --fork, the nsenter command must attach to the child pid not the unshare pid to get to the right pid namespace. I can get unshare's pid as follows:

unshare --pid --mount --fork --mount-proc  bash & 
echo PID: $!
fg

but I need unshare's child's pid (2914003) to enter the right namespace:

ps wwfuax | grep -A1 unshare 
2914002 pts/4    S      0:00  |           \_ unshare --pid --mount --fork --mount-proc bash
2914003 pts/4    S+     0:00  |               \_ bash

This works: nsenter -t 2914003 This does not: nsenter -t 2914002 I was hoping for some kind of option like unshare --show-child-pid but there isn't. What is a nice reliable way to get unshare's child's pid?

I've run sudo sysctl -w net.ipv4.ip_unprivileged_port_start=1. However, sudo ip netns exec myvpn unshare -r python -m http.server -b 127.0.0.1 2 does not work. Strangely enough, this does: sudo ip netns exec myvpn unshare python -m http.server -b 127.0.0.1 2. Why? **EDIT**: However, both sudo ip netns exec myvpn sudo -u $USER unshare python -m http.server -b 127.0.0.1 2 and sudo ip netns exec myvpn sudo -u system unshare -r python -m http.server -b 127.0.0.1 2 don't work.

How to login to a

namespace

created by

-U

from another terminal?

I am trying to setup 'rootless' containers by hand, with just unshare and mounting overlayfs. Currently, I can unpack a rootfs tarball, setup a /tmp and /proc mount, and pivot_root/chroot into it without issue. I can also add adduser and su as that new user. However, when I setup an overlayfs mount, where the lower layer is the unpacked tarball, and the upper layer is a temp directory, repeating the above steps fails with a permission denied issue when I su as the new user. I suspect it has to do with the newly created user in adduser does not have permissions to read from the overlay filesystem, but I am not sure. I don't see any logs in demsg even with setting /proc/sys/kernel/printk to 6 # Reproduction Steps ## What Works (unpacked tarball) Unshare into a new mount and user namespace in a terminal

shell
unshare -pf --user --mount-proc --kill-child /bin/bash

In another terminal use newuidmap and newgidmap for the new process:

newuidmap $PID 0 1000 1 1 100000 65536
newgidmap $PID 0 1000 1 1 100000 65536

Back to the first terminal, in the namespace, unpack the rootfs, setup the mounts, and chroot into it and create a new user.

mkdir rootfs
tar -xvf alpine-minirootfs-3.15.3-x86.tar -C rootfs
mkdir mountpoint
mount --bind rootfs/ mountpoint/
mkdir -p mountpoint/tmp/
mkdir -p mountpoint/proc/
mount -t tmpfs none mountpoint/tmp/
mount -t proc none mountpoint/proc
cd mountpoint/
pivot_root . .
exec chroot . /bin/sh
# Create the new user and su as it
adduser -s /bin/sh -D newuser
# The below command works
su newuser -

The above steps work where I am able to su as the newuser. ## What doesn't work (overlayfs) Changing the mountpoint to be backed by overlay fs does not work. Repeating the steps from above to prepare the rootfs. Unshare into a new mount and user namespace in a terminal.

unshare -pf --user --mount-proc --kill-child /bin/bash

In another terminal use newuidmap and newgidmap for the new process:

newuidmap $PID 0 1000 1 1 100000 65536
newgidmap $PID 0 1000 1 1 100000 65536

Back to the first terminal, in the namespace, unpack the rootfs, setup an overlay mount, chroot into it and create a new user.

mkdir rootfs
tar -xvf alpine-minirootfs-3.15.3-x86.tar -C rootfs
mkdir mountpoint
# This is the key difference from above
mount -t overlay none -o lowerdir=$(realpath ./rootfs),upperdir=$(mktemp -d),workdir=$(mktemp -d) $(realpath ./mountpoint)
mkdir -p mountpoint/tmp/
mkdir -p mountpoint/proc
mount -t tmpfs none mountpoint/tmp/
mount -t proc none mountpoint/proc
cd mountpoint/
pivot_root . .
exec chroot . /bin/sh
# Create the new user and su as it
adduser -s /bin/sh -D newuser
# The below command fails with permission denied
su newuser -
#
# su: can't execute '/bin/sh': Permission denied

## Environment Info The above commands were run on Ubuntu Impish with kernel 5.13.0-37-generic

After running something like this:

$ unshare -rUm
$ mkdir opt
$ mount --bind opt /opt
$ touch /opt/test
$ chown 1000:1000 /opt/test

I'm receiving this:

chown: changing ownership of '/opt/test': Invalid argument

As I can see, I only have 1 subuid that I can use.

$ cat /proc/self/uid_map
         0       1000          1

How can I add more than that? I already have this in my subuid/subgid files:

$ cat /etc/subuid
cloud-user:100000:65537

I am trying to write a bootstrapper for a minimal, from-source linux distribution. I would like to build in a chroot-like environment. This should simplify packaging. I do not care about security at this point. The bootstrapper should not require any non-standard third-party commands. It would be great if there is no need to be root, either. This is why fakechroot(1) fakeroot(1) chroot(1) is not exactly what I am looking for. Is it possible to fake / using unshare(1) and /bin/sh?

I'm trying to map the user and group ids in new namespace by writing to uid_map and gid_map files. So on **terminal-1** I'm doing

vaibhav@vaibhav:~$ unshare -U /bin/sh
$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
$ echo $$
2506

then I open new terminal i.e. **terminal-2** and I do

vaibhav@vaibhav:~$ echo '0 1000 1' > /proc/2506/
uid_map
vaibhav@vaibhav:~$ echo '0 1000 1' > /proc/2506/
gid_map
-bash: echo: write error: Operation not permitted

now if I check on **terminal-1**

$ id
uid=0(root) gid=65534(nogroup) groups=65534(nogroup)

I know we can write to uid_map & gid_map file only once but it is failing on first write itself. I want to know why writing to gid_map failing. I'm using

Mint 20.3

I have an app I run in a network namespace. This works well. I want to run the app multiple times, in different namespaces. For convenience, I want to bind mount the app's working directory to something like /tmp/nsX, inside of the namespace. If I just do mount --bind /tmp/nsX /var/lib/my-app in the namespace, the mount goes away when I exit the namespace. By enter/exit the namespace, I mean just ip netns exec bash I'm looking at unshare and nsenter but I can't figure out what to do. I want to: - Configure networking for a namespace - Create a bind mount for my app's working dir, in the namespace. - Spawn my app in the namespace. It has a "fork" option if that helps. - Be able to leave and enter the namespace(s) without things dying or disappearing. If I need to use some of the other namespace types, that's fine.

I am a little confused about what --mount-proc does when used with unshare command. When I use unshare -fp --mount-proc bash, I notice that it results in both a new PID namespace and a new MNT namespace. Given that I am in a new MNT namespace, I tried unmounting one of the loop devices and noticed that this was not reflected in the parent MNT (the mount still shows when I run df -h in the parent namespace). Now, I went one step ahead, and, from within the new MNT namespace created a new root using pivot_root, and unmounted the original root. As expected, the new namespace now has a different root. The parent namespace still has the original root directory. My Question: If I can achieve creating a new MNT namespace without using the -m option in the unshare command, and also achieve creating an isolated root directory for the new process, what different purpose does the MNT namespace serve? I would be grateful for any guidance from the experts. EDIT: I have modified my original post, which said that changing the root in the new namespace also changes the root in the parent namespace. I am no longer able to reproduce this. But my question on being able to create a new MNT namespace with just the --mount-proc option and without using -m with unshare still remains.

On my Linux machine, I (my user) have a main group and multiple other groups (note I belong to group 150): $ id -u; id -g; id -G 1000 1000 1000 6 21 91 97 150 190 465 996 1003 I need to isolate a command into a user namespace. I use unshare --user for that: $ unshare --user --map-user=4000 --map-group=4000 bash -c 'id -u; id -g; id -G' 4000 4000 4000 65534 (Note that all groups I belonged to are kept but, as most of them are not mapped in the new user namespace, they are replaced by the overflow group, 65534, "nobody", or "nogroup". A call to getgroups confirms that by returning the list "1000 65534 65534 65534 65534 65534 65534 65534 65534 65534". id deduplicates that list.) I'm not allowed, as a user, to map any group excepted the effective group in parent namespace (1000). But here, I do need to use one of my supplementary group to run an executable with escalated privileges (note that /usr/bin/dumpcap may be executed only if one is in the group 150, in which I am in the outer namespace): $ ls -n /usr/bin/dumpcap -rwxr-xr-- 1 0 150 116928 Jun 7 21:16 /usr/bin/dumpcap $ getcap /usr/bin/dumpcap /usr/bin/dumpcap cap_dac_override,cap_net_admin,cap_net_raw=eip Is there a way to make a group in the user namespace mapped to a supplementary group I belong to in the parent namespace (here 150)? —Without CAP_SETGID of course, it would be too easy. ;-)