blob: b45628923b1bff65e0834efc9d968a5c3d5e5c87 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
uroot (User's root)
===================
Tool that uses Linux namespaces and resource separation to provide root like
functionality even under unprivileged user on Linux systems. This is more commonly
known as unprivileged containers. Difference between this project and full fledge
containerization solution is that this tools tries to provide less separation to
allow more versatile uses. See example usages if you are not sure what this can
do. There is also section with limitations stating what you can't do with this
tool.
In general this tools allows you to imaginary become root. This has a lot of use
cases outside of just creating full containers. You can use it to control some bad
behaving program without fully separating it from host system.
System setup
------------
TODO (describe shadow requirements)
Limitations of this tools
-------------------------
This tool is not perfect as well as technology it uses is not perfect. There can
be bugs and there are for sure unimplemented features. This section provides you
with information about some known problems that we are unable to solve because of
limitations of used technology. Please check this list before you report problem
or even before you use tool it self.
### Block devices are no go
Unfortunately current implementation of namespaces, primarily mount points
unshare, does not support usage of block devices subsystem. That is kernel
subsystem handling access to storage devices. Most of kernel file system drivers
are implemented on top of block devices and because of that non of those file
systems can be used. This means that you can modify (mount) only already mounted
file systems or system file systems such as tmpfs or procfs. Allowing user access
to `/dev` device is not enough to fix this issue. This also means that you are not
able to use FUSE file systems.
Example usages
--------------
On top of making you look cool that you are able to get root on system you should
not (those hacking skills) this tool also have some real live uses. Some of them
can be clear cut but some usages might not be immediately clear. That is the main
reason why this section exists. It also should give you hints to common traps.
### chroot
TODO
### Single killable process
TODO
### Network isolation
TODO
|
