On 10/20/14 11:28, Andy Lutomirski wrote:
> On Sun, Oct 19, 2014 at 6:53 PM, Rob Landley <[email protected]> wrote:
>> On 10/19/14 18:13, Andy Lutomirski wrote:
>>>>> This implements all of the namespace parts of nsenter, but UID and GID
>>>>> switching are missing, as are -r and -w (both because they're not strictly
>>>>> necessary and because the nsenter manpage has an insufficient
>>>>> description of how they work).
>>
>> It looks like -r is just chroot and -w is just chdir.
>
> I doubt that.
Looks like it to me.
>>
>> Except that it's not chroot, it's pivot_root in the new namespace:
>
> I doubt that. pivot_root edits the namespace, and setns will set the
> root to the (pivoted) ns root.
It's an implementation detail, the chroot is done with pivot_root
because otherwise you haven't actually edited the namespace and you wind
up able to escape it by moving "/" under the current directory and doing
cd ../../../../.. back up to the real / (then chroot(".") to move / again).
> The parts that I thought were unclear were:
>
> 1. What happens if -r is passed a relative path?
You resolve it in the old namespace, just like with chroot.
> 2. What is the working directory if -r is used and -w is not used?
It's / in the new namespace, just like chroot.
> 3. What happens if -w is passed a relative path?
My guess would be you resolve it in the new namespace, but I'd probably
want to try the old command to see what it does and make sure.
> On inspection of the source, if -r and -w have arguments, then they
> are interpreted *prior to* the setns calls. I strongly suggest not
> implementing that part of nsenter -- I think that's garbage.
The -r argument kinda has to be prior to the setns call. The -w behavior
has arguments both ways, and I can see the point of making -r and -w
behave the same way. (Basically "we interpret -w before -r".)
> That being said, my code has a bug: I should open all the ns fds prior
> to setnsing any of them. Otherwise some of the setns calls may drop
> required privilege or lose access to the filesystem outright.
I'm 2/3 through a cleanup, I can do that too.
(Implementing sed's been taking up most of my time the past week. I
should check in a checkpoint of that...)
> --Andy
Rob
_______________________________________________
Toybox mailing list
[email protected]
http://lists.landley.net/listinfo.cgi/toybox-landley.net
