|
|
Log in / Subscribe / Register

User namespaces progress

User namespaces progress

Posted Jan 3, 2013 17:44 UTC (Thu) by andresfreund (subscriber, #69562)
In reply to: User namespaces progress by Cyberax
Parent article: User namespaces progress

It depends a bit on how you want to start java, but in general you can do stuff like:
$ nc -l 234
nc: Permission denied
$ cp `which nc` /tmp/nc && sudo setcap cap_net_bind_service+ep /tmp/nc
$ /tmp/nc -l 234
^C

In many scenarios you probably will end up using something like capsh or pam-cap.

to post comments

User namespaces progress

Posted Jan 3, 2013 19:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

By copying a binary.

Beautiful. Not.

> In many scenarios you probably will end up using something like capsh or pam-cap.
I'll gladly send you a beer if you can give me a command line that actually works. I have tried all sorts of capsh command variations, but NONE of them works.

User namespaces progress

Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562) [Link] (3 responses)

> By copying a binary.
> Beautiful. Not.

I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.

> In many scenarios you probably will end up using something like capsh or pam-cap.

libpam-cap is probably easier for you:
apt-get install libpam-cap
pam-auth-update (enable "capabilities management")
sensible-editor /etc/security/capability.conf
# add "cap_net_bind_service cyberax"

It should be rather similar for other distributions.

Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
andres@alap2:~$ sudo -u andres nc -l 434
^C

User namespaces progress

Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.

User namespaces progress

Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link] (1 responses)

Hm, I don't really see that as a problem. But anyway:

sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"

Yes. Ugly. But it works. (capsh is/was a demo tool)

User namespaces progress

Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Doesn't work with Java, just tried it on my system (it's Debian Stable).


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds