0
点赞
收藏
分享

微信扫一扫

Linux Namespace 测试

程序小小黑 2022-10-28 阅读 55
linux服务器ubuntubashcentos虚拟化云计算


测试uts namespace

  1. visudo 新增test用户到/etc/sudoers

[test@localhost ~]$ sudo unshare -u /bin/bash
[sudo] password for test: 
[root@localhost test]# hostname
localhost.localdomain
[root@localhost test]# hostname test.localdomain
[root@localhost test]# hostname
test.localdomain

测试 user namespace

centos7 默认没有启用 User Namespace。

[root@localhost ~]# echo 10000 > /proc/sys/user/max_user_namespaces

创建一个 user namespace,并将当前用户映射到新user namespace 的root用户;

[root@localhost ~]# sudo unshare -U -r /bin/bash 
[root@localhost ~]# echo $$
15778
[test@localhost ~]$ cat /proc/15778/uid_map 
         0       1000          1
[test@localhost ~]$ cat /proc/15778/gid_map 
         0       1000          1

理解 UID 和 GID 的映射

如果不加参数 -r, unshare -U /bin/bash显示的是(centos7)

[test@localhost ~]$ sudo echo   # 提前获取sudo权限,如果直接sudo unshare -U /bin/bash,/proc/$$/下的文件权限都是root;
[sudo] password for test: 
[test@localhost ~]$ unshare -U /bin/bash
[nfsnobody@localhost ~]$ echo $$
3105
[nfsnobody@localhost ~]$ ls /proc/3105/uid_map /proc/3105/gid_map  -l
-rw-r--r--. 1 nfsnobody nfsnobody 0 Jul  6 23:05 /proc/3105/gid_map
-rw-r--r--. 1 nfsnobody nfsnobody 0 Jul  6 23:05 /proc/3105/uid_map
[nfsnobody@localhost ~]$ cat /proc/3105/uid_map
[nfsnobody@localhost ~]$ cat /proc/3105/uid_map

如果在 test 用户下查看

[test@localhost ~]$ ls /proc/3105/uid_map /proc/3105/gid_map  -l
-rw-r--r--. 1 test test 0 Jul  6 23:05 /proc/3105/gid_map
-rw-r--r--. 1 test test 0 Jul  6 23:05 /proc/3105/uid_map

开始映射,先给bash设置cap_setgid,cap_setuid能力:

[test@localhost ~]$ cat /etc/passwd | grep test
test:x:1000:1000:test:/home/test:/bin/bash
[test@localhost ~]$ echo '0 1000 1000' > /proc/3105/uid_map
bash: echo: write error: Operation not permitted
[test@localhost ~]$ echo '0 1000 1000' > /proc/3105/gid_map
bash: echo: write error: Operation not permitted
[test@localhost ~]$ sudo setcap cap_setgid,cap_setuid+ep /bin/bash
[test@localhost ~]$ cat /proc/$$/status | egrep 'Cap(Inh|Prm|Eff)'
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
[test@localhost ~]$ exec bash
[test@localhost ~]$ cat /proc/$$/status | egrep 'Cap(Inh|Prm|Eff)'
CapInh: 0000000000000000
CapPrm: 00000000000000c0
CapEff: 00000000000000c0
[test@localhost ~]$ echo '0 1000 1000' > /proc/3105/uid_map
[test@localhost ~]$ echo '0 1000 1000' > /proc/3105/gid_map

切换到user namespace shell测试

[nfsnobody@localhost ~]$ exec bash
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

参考

​​CentOS 7 启用 user namespaces(用户命名空间)​​​​Centos 7下开启UserNS(User Namespace)​​


举报

相关推荐

Linux Namespace

Linux Namespace运维

Linux Namespace技术

namespace运维yyds干货盘点

Linux中的namespace

linux运维服务器docker编程语言

Docker与Linux Namespace:Mount Namesapce

PaaS

Docker与Linux Namespace:PID Namesapce

PaaS

Docker与Linux Namespace:User Namesapce

PaaS

Docker与Linux Namespace:Network Namesapce

PaaS

Docker与Linux Namespace:UTS Namesapce

PaaS

Docker与Linux Namespace:IPC Namesapce

PaaS

namespace

namespace消息队列系统调用bashJavaScript前端开发
0 条评论