aboutsummaryrefslogtreecommitdiff

uroot (User's root)

Tool that uses Linux namespaces and resource separation to provide root like functionality even under unprivileged user on Linux systems. This is more commonly known as unprivileged containers. Difference between this project and full fledge containerization solution is that this tools tries to provide less separation to allow more versatile uses. See example usages if you are not sure what this can do. There is also section with limitations stating what you can't do with this tool.

In general this tools allows you to imaginary become root. This has a lot of use cases outside of just creating full containers. You can use it to control some bad behaving program without fully separating it from host system.

System setup

TODO (describe shadow requirements)

Limitations of this tools

This tool is not perfect as well as technology it uses is not perfect. There can be bugs and there are for sure unimplemented features. This section provides you with information about some known problems that we are unable to solve because of limitations of used technology. Please check this list before you report problem or even before you use tool it self.

Block devices are no go

Unfortunately current implementation of namespaces, primarily mount points unshare, does not support usage of block devices subsystem. That is kernel subsystem handling access to storage devices. Most of kernel file system drivers are implemented on top of block devices and because of that non of those file systems can be used. This means that you can modify (mount) only already mounted file systems or system file systems such as tmpfs or procfs. Allowing user access to /dev device is not enough to fix this issue. This also means that you are not able to use FUSE file systems.

Example usages

On top of making you look cool that you are able to get root on system you should not (those hacking skills) this tool also have some real live uses. Some of them can be clear cut but some usages might not be immediately clear. That is the main reason why this section exists. It also should give you hints to common traps.

chroot

TODO

Single killable process

TODO

Network isolation

TODO