playing with "unc" the unprivileged user containers


If you are familiar with docker then you are going to love this little hack. UNC is a tool to demonstrate how to launch containers without being root.

Getting the code and compiling it

git clone
cd unc
mkdir -p gopath/src/
ln -s ../.. gopath/src/unc
export GOPATH=$PWD/gopath
cd gopath/src/unc
go get
go build
cd unet
go build
cd ..
sudo cp unc unet/unet /usr/local/bin/
sudo chmod u+s /usr/local/bin/unet

What is SetUID for?

"unet" is a tool used "unc" that creates veth pairs and assign one of them to container. Root user (via setuid) is needed to be able to assign a network interface for the user container.

Creating some minimal root filesystems

sudo dnf install busybox
# as regular unprivileged user type
mkdir -p roots/busybox1/{bin,sbin,proc,dev,etc}
cp /sbin/busybox roots/busybox1/sbin/
echo "root:x:0:0:root:/root:/bin/bash" > roots/busybox1/etc/passwd
echo "root:x:0:" > roots/busybox1/etc/group
echo "localhost.localdomain" > roots/busybox1/etc/hostname
echo -e "search local\nnameserver" > /etc/resolv.conf

let's make another copy of roots/busybox1

cp -a roots/busybox1 roots/busybox2

Running two user containers and connecting them together

as regular user on one terminal type

cd roots/busybox1
PATH=/bin:/sbin:/usr/local/bin/:/usr/local/sbin/ unc ./sbin/busybox sh

and inside the container you can install busybox tools into bin (from sbin/busybox)

/sbin/busybox --install -s /bin/

make sure the Ethernet link is up

ip a
ip link set uv3012 up

replace uv3012 with whatever interface you see

do the same on busybox2 and ping the two containers like this

as you can see we were able to be container's root and anything I run inside the container as root is not actually root but actually my regular user I used to run "unc"

If you run "ls -lh" my files would appear to be root and I can listen on containers port 80 (using nc)

Going further

  • make things configurable using params
  • maybe replace SetUID "unet" let's say with "dbus" message (get me an interface my privileged brother)
  • maybe make "unc" to be executed as root but have "--become=other_user"


Popular posts from this blog

Be aware! Docker is a trap.

Multi-host docker cluster using OVS/VxLAN on CentOS 7

CSS3-based animation instead of jQuery