vitaly ̈_vi ̈ shukela - dive
TRANSCRIPT
![Page 1: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/1.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Dive
Vitaly ¨ Vi¨ Shukela
July 21, 2015
![Page 2: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/2.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 3: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/3.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.
The supposed way of doing this was configuring the networkstarting SSH server and using it:
![Page 4: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/4.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I was experimenting with LXC containers and found out thatafter stating the container it is tricky to launch some additionalprogram into it.
The supposed way of doing this was configuring the networkstarting SSH server and using it:
![Page 5: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/5.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
LXC and sshd
Inside container
sshd
Terminal
lxc-execute Terminal2
ssh
bash2
bash
![Page 6: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/6.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
And I wanted this:
![Page 7: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/7.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Direct
Inside container
Terminal
bash2
lxc-execute Terminal2
bash
![Page 8: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/8.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I wanted to do it:
Without using virtual network;
Without heavyweight additional programs;
Preserving all FDs, not just stdin/stdout/stderr;
![Page 9: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/9.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 10: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/10.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 11: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/11.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 12: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/12.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 13: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/13.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 14: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/14.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 15: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/15.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 16: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/16.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 17: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/17.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So I implemented a program that listens a socket and allowsremotely starting programs:
No TCP, only UNIX socket;
Using sendfd/recvfd;
No authentication, but preseving user (SO_PEERCRED);
Preserving signals;
Passing command line and environment variables as array;
Preserving controlling terminal (1/2);
Preserving process parents (failed);
![Page 18: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/18.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Initial dive
So, initial dive rationale is
Poor man’s SSHd for starting things insidelxc-execute.
![Page 19: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/19.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 20: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/20.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I finished playing with LXC at that moment, but used ”dive”project as playground.
More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.
![Page 21: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/21.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
History
I finished playing with LXC at that moment, but used ”dive”project as playground.
More features creeped in, so I created ”nocreep” branch in Gitto preserve ”poor man’s sshd” dive as a little program.
![Page 22: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/22.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Updated rationale
The new rationale is:
Be a tool for starting processes in various ways,like socat is the tool for using sockets.
![Page 23: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/23.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 24: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/24.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
![Page 25: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/25.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
![Page 26: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/26.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
PR_SET_NO_NEW_PRIVS
I don’t like suidbit feature.
I want to start a program that should not be able to elevate it’sprivileges by filesystem means.
dived -J -S -T -P -X -- ./some_program arguments
![Page 27: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/27.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 28: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/28.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
![Page 29: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/29.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
![Page 30: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/30.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
suid-less sudo
I don’t like suidbit feature.
I want to run large part of the system with suidbit forbidden(-o nosuid, PR_SET_NO_NEW_PRIVS).
But also want this part to elevate privileges in a controlled way.
![Page 31: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/31.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
![Page 32: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/32.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
![Page 33: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/33.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
access to one root program for a specific user
Let’s give someuser access to run some program only as rootwithout using setuid.
dived /home/someuser/poormansudo -d -C 700 -U↪→ someuser:someuser -E -P -- /usr/bin/↪→ some_program_only
dive ./poormansudo --some --arguments
![Page 34: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/34.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
![Page 35: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/35.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
![Page 36: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/36.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
give anybody chroot, but revoke setuid magic
I like to use chroot for development and don’t want to changeto root every time.
dived /var/run/chrooter -d -C 777 -X -r
DIVE_ROOTDIR=/home/user/system dive /var/run/chrooter↪→ /bin/bash
![Page 37: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/37.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 38: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/38.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
![Page 39: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/39.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
![Page 40: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/40.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
namespace handling
Let’s become poor man’s LXC.
Start a ”container”:dived -J -S -T -P -s net,fs -- /bin/bash
Start additional program into that container:dived -J -S -T -P -N /proc/12345/ns/net -N /proc
↪→ /12345/ns/mnt -- /bin/bash
![Page 41: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/41.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 42: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/42.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Feature list
Starting programs directly ...... or initiated by socket
Preservation of argv and envp arraysPreservation of controlling terminal (limited)Preservation of uid/gid (initializing other groups)Signal preservationWaiting for termination of a remotely started processinetd modeAbstract sockets
Capability, securebits and PR_SET_NO_NEW_PRIVSmanagementNamespace management”authenticate” featureResource (rlimit) managementCreation of pidfileChrootingSaving of pidfile
![Page 43: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/43.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Current omissions
TODO:
Sane command line argument handling
Full-coverage tests
Cgroups management
Distribution package inclusions
Refactoring
![Page 44: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/44.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Presentation Outline
1 Initial rationale
2 Original dive
3 Updated rationale
4 Usage example: restrict suidbit
5 Usage example: sudo
6 Usage example: unshare
7 Feature list
8 Conclusion
![Page 45: Vitaly ̈_Vi ̈ Shukela - Dive](https://reader030.vdocument.in/reader030/viewer/2022020219/55caaf6ebb61eb711c8b461a/html5/thumbnails/45.jpg)
Dive
Vitaly ¨ Vi¨Shukela
Initialrationale
Original dive
Updatedrationale
Usageexample:restrict suidbit
Usageexample: sudo
Usageexample:unshare
Feature list
Conclusion
Dive is a project that helps to start programs in a light-weight,but versatile way.
https://github.com/vi/dive
The end.