Starting a shell with this:
bwrap --unshare-pid --unshare-user --dev-bind / / bash
In another shell on the host we can see this with lsns:
4026532550 user 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
lsns in the namespace reports
4026531834 time 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531835 cgroup 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531838 uts 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531839 ipc 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531992 net 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532550 user 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
The main question:
How to start a second shell in the same namespaces as the first?
Bonus question:
From my understanding there is also an intermediate namespace (only user namespace?) created by bubblewrap, in most cases
Is it possible to start a shell in the intermediate namespaces created by bubblewrap?
Would it be useless because all privileges are already dropped by bubblewrap from the intermediate namespace?
The idea would be that further mounts/unmounts can be done in the final namespace from the intermediate namespace, or some other privileged stuff
Any solution is welcomed, preferable with bubblewrap, otherwise preferable nsenter but also raw setns syscalls for PoC
Note that bwrap is not setuid, I launch bwrap as an unprivileged user, all types of namespaces are enabled in the kernel and they are working correctly as an unprivileged user afaik
According to this issue https://github.com/containers/bubblewrap/issues/253, bubblewrap can only create new mount namespaces, so this problem might not be possible to solve only with bubblewrap alone as of now
Bubblewrap is doing a great job at creating the initial namespaces, simple and enough configuration, if it creates namespaces that can't be correctly re-entered in any way I might be able to patch bubblewrap so that allows it or ditch it altogether and write an own setns wrapper based on how bubblewrap does most things
Flatpak uses bubblewrap and allows entering namespaces, has checks for if bubblewrap creates an intermediate namespace, I tried to understand the code at https://github.com/flatpak/flatpak/blob/4735e3ea90d9cfa7237aa1de7818ba396a45f084/app/flatpak-builtins-enter.c but I couldn't get that to work manually
Like this:
nsenter -U --preserve-credentials -m -p -t 1799976
Where 1799976 is the PID of the process that's currently in that namespace. If you don't want to enter the mount or PID namespace, then leave off the -m or -p, respectively.
Related
I have an unusual question. In an Ubuntu environment (ver 16.04), how can a user in one shell run a program that's been installed by a user in another shell? Crudely put:
USER_A USER_B
----------------------- ===>> ---------------
/usr/sbin/nologin shell /bin/bash shell
where USER_B has installed some app, and that app can only be run by him.
So here's some more specific detail. On my Ubuntu machine, I'm running Apache2 ver 2.4.41. When you run Apache on your server, a www-data user is created for running your webpages, I guess. The www-data user runs in a /usr/sbin/nologin shell:
pete#myUbuntu$ sudo finger www-data
Login: www-data Name: www-data
Directory: /var/www Shell: /usr/sbin/nologin <<=======
Never logged in.
No mail.
No Plan.
pete#myUbuntu$
So www-data is USER_A. I don't really know what the /usr/sbin/nologin shell is, but it seems significant.
Apache2 hosts a webpage, and that webpage runs a script. This means from Ubuntu's perspective, user www-data is running the script. The script must run an application that was installed by another user, user pete. Here's his profile:
pete#myUbuntu$ sudo finger pete
Login: pete Name: Pete Smith
Directory: /home/pete Shell: /bin/bash <<=======
Never logged in.
No mail.
No Plan.
pete#myUbuntu$
User pete's shell is /bin/bash, which is not the same as user www-data. I'm betting this is why www-data's script can't run pete's application. Here's the script:
#!/bin/bash
cd /home/pete
whoami
pwd
/bin/bash
# Try:
{
sudo -i -u pete database_lookup_app.sh
} || {
# Catch:
echo "ERROR :: Unable to run database_lookup_app.sh"
}
When the script is run, the output on my webpage is:
www-data
/home/pete
ERROR :: Unable to run database_lookup_app.sh
Ugh! You see the problem.
I've been playing around with this, trying to figure out what I have to do to allow www-data to be allowed to run database_lookup_app.sh. I don't think it is a permissions thing, because both users pete and www-data have been added to a common user group. I've also added both users to the visudo file:
pete ALL=(ALL:ALL) ALL
www-data ALL=(ALL:ALL) ALL
There's gotta be a way to do this. Any thoughts?
This question already has answers here:
CronJob not running
(19 answers)
Closed 28 days ago.
Hi I'm getting this error when running the shell script using crontab for the specific user
this my crontab:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
29 22 * * * automation /home/automation/profilecheck/untitled.sh >> /home/automation/profilecheck/profilecheck.log 2>&1
anyone can help with this issue?
Cron jobs running with crontab -e are run as the user who issues that command and thus owns that cronjob. You need to remove the user automation from your command and create/run the cronjob from automation user account.
29 22 * * * /home/automation/profilecheck/untitled.sh >> /home/automation/profilecheck/profilecheck.log 2>&1
O
Or you can add your cronjob into /etc/crontab
Or move your cronjob to /etc/cron.d and make sure the user is available and has relevant permissions.
This question already has answers here:
Permission denied when logging on /var/log from a php script
(2 answers)
CronJob not running
(19 answers)
Closed 2 years ago.
I am struggling to create a cron job since morning. Here is the process I did.
The task I am trying to run management.sh,
#!/bin/bash
cd /var/www/mysite.com/myproject/
source ../venv/bin/activate
python manage.py dbbackup
deactivate
I made this script executable by doing sudo chmod +x /var/www/mysite.com/myproject/management.sh.
Then with crontab -e I added the following line to run every 2 mins.
*/2 * * * * /usr/bin/sh /var/www/mysite.com/myproject/management.sh >> /var/log/cron.log 2>&1
Problem
sudo tail -f /var/log/syslog | grep CRON, this is what I see,
Jul 26 09:52:01 test-svr-loc1 CRON[23583]: (dexter) CMD (/usr/bin/sh /var/www/mysite.com/myproject/management.sh >> /var/log/cron.log 2>&1)
Jul 26 09:52:01 test-svr-loc1 CRON[23582]: (CRON) info (No MTA installed, discarding output)
When I check the cron.log, it is empty.
What is wrong here?
Crontab is executing script. As per #Cyrus's suggestion in the comments, it was a permission issue. Cron was not able to write to my log as I created it with sudo. Changed permission back to me and it is now logging.
I have a Shell script which is owned by a particular user (tim:tim) and with permissions of 755. For example, if the shell is test.sh, the output of ls -la test.sh gives:
-rwxr-xr-x 1 tim tim 27 Sep 10 01:03 test.sh
This shell has commands that should only be run by the root user. So what I need is, I need to run this shell script as sudo test.sh without prompting for the password. So I added the following entry at the end of the /etc/sudoers file.
tim ALL=(root) NOPASSWD: /path-to-shell/test.sh
But above is not working. It's still asking for the password. But when I add an entry as follows, it works without asking for the password.
tim ALL=(root) NOPASSWD: ALL
But what I want is, user tim should only have the privilege to execute test.sh (not all) without prompting for the password.
sudo test.sh
is not same as
sudo /path-to-shell/test.sh
If the sudoers entry:
tim ALL=(root) NOPASSWD: /path-to-shell/test.sh
allowed anyone to run a sudo test.sh without password, it wold be a critical security weakness, because any user would be able to create a file named test.sh and have it executed with root privileges.
If your executable/script path is not in the secure_path variable from the /etc/sudoers file, the sudo permission only applies when invoking the command with its full path-name.
Now this may be a question for other stack site about system administration
See: https://unix.stackexchange.com/questions/83191/how-to-make-sudo-preserve-path/83194#83194
If I'm working in an interactive shell of any user, an inode list query for /home returns:
[postgres#localhost ~]$ ls -ild /home
2 drwxr-xr-x 14 root root 4096 May 20 16:20 /home
However, a script called in a systemd unit file by an ExecStartPre= clause, and specified to run as a specific user (i.e. User=postgres), which runs the same ls command shown above, displays a completely different inode and fails, stopping me from running the systemd unit normally:
10364 d--------- 2 root root 40 May 20 15:06 /home
I don't really have a clue why is this so. It is actually very strange. Can somebody explain what's going on?
The stock form of the systemd unit file I was trying to access includes the ProtectHome=true clause, which as per the systemd documentation:
ProtectHome=
Takes a boolean argument or "read-only". If true, the directories /home, /root and /run/user are made inaccessible and
empty for processes invoked by this unit.
Changing the clause to false made /home available to the script.