playing with "unc" the unprivileged user containers

Introduction


If you are familiar with docker then you are going to love this little hack. UNC is a tool to demonstrate how to launch containers without being root.

Getting the code and compiling it

git clone https://github.com/LK4D4/unc.git
cd unc
mkdir -p gopath/src/
ln -s ../.. gopath/src/unc
export GOPATH=$PWD/gopath
cd gopath/src/unc
go get
go build
cd unet
go build
cd ..
sudo cp unc unet/unet /usr/local/bin/
sudo chmod u+s /usr/local/bin/unet

What is SetUID for?

"unet" is a tool used "unc" that creates veth pairs and assign one of them to container. Root user (via setuid) is needed to be able to assign a network interface for the user container.


Creating some minimal root filesystems

sudo dnf install busybox
# as regular unprivileged user type
mkdir -p roots/busybox1/{bin,sbin,proc,dev,etc}
cp /sbin/busybox roots/busybox1/sbin/
echo "root:x:0:0:root:/root:/bin/bash" > roots/busybox1/etc/passwd
echo "root:x:0:" > roots/busybox1/etc/group
echo "localhost.localdomain" > roots/busybox1/etc/hostname
echo -e "search local\nnameserver 8.8.8.8" > /etc/resolv.conf

let's make another copy of roots/busybox1

cp -a roots/busybox1 roots/busybox2

Running two user containers and connecting them together

as regular user on one terminal type

cd roots/busybox1
PATH=/bin:/sbin:/usr/local/bin/:/usr/local/sbin/ unc ./sbin/busybox sh

and inside the container you can install busybox tools into bin (from sbin/busybox)

/sbin/busybox --install -s /bin/

make sure the Ethernet link is up

ip a
ip link set uv3012 up

replace uv3012 with whatever interface you see


do the same on busybox2 and ping the two containers like this



as you can see we were able to be container's root and anything I run inside the container as root is not actually root but actually my regular user I used to run "unc"

If you run "ls -lh" my files would appear to be root and I can listen on containers port 80 (using nc)

Going further

  • make things configurable using params
  • maybe replace SetUID "unet" let's say with "dbus" message (get me an interface my privileged brother)
  • maybe make "unc" to be executed as root but have "--become=other_user"



Comments

Post a Comment

Popular posts from this blog

How to defuse XZ Backdoor (or alike) in SSH Daemon

XZ Backdoor in SSH Background Someone planted a backdoor in XZ compression, which is believed to affect SSH. More details can be found. Although it was never shipped to production version of any distro. Even if you are using unaffected version I suggest you defuse any similar backdoors. https://www.openwall.com/lists/oss-security/2024/03/29/4 https://news.ycombinator.com/item?id=39865810 https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users The Kill Switch The backdoor has a kill switch, it does not activate if it detects that someone is observing it (debugger attached...etc). An easy way to defuse the backdoor is to just define TERM environment variable causing the backdoor to think it's being observed and it would disable itself hopefully this is not specific to this backdoor but any similar one.  mkdir /etc/systemd/system/sshd.service.d/ echo -e "[Service]\nEnvironment=TERM=xt...
Read more

Making minimal graphical operating system

Image
Back in my first days of Linux I had a bootable floppy disk with fully functional Linux distro (a kernel, a shell and busybox tools and lua scripting). Maybe that was not much, but it was less than 2MB and would work on an old 386 PC with 4MB of RAM. But shell is boring, graphical minimal Linux distros was several hundreds of mega bytes and need hundreds of MB of RAM. Embedded devices typically have a minimal Linux with busybox or alike running with no graphical interface but instead they have some sort of web interface exposed to some port. If you tried to run a minimal graphical Linux distro let's say XFCE on an embedded device (let's say a raspberry pi) you would notice that most of its limited resources are taken by Xorg the legacy graphical server. Introducing Wayland Wayland is a new different approach to graphical interface, instead of sending drawing instruction over a legacy protocol (with so many extensions) to a legacy daemon (with so many extensions) that ...
Read more

Bootstrapping Alpine Linux QCow2 image

Introduction Alpine Linux is a minimal distro with package manager ( APK ) that is based on busybox and musl library . Like the  CirrOS , it's very lightweight, but unlike it, it's full featured. In case you don't know me, my Linux distro of choice is Fedora/CentOS, in this post I'm going to bootstrap a QCow2 cloud image of Alpine Linux on my distro of choice. Using docker to bootstrap a working chroot Type mkdir alpine35-root docker run --rm -ti -v $PWD/alpine35-root:/data alpine:3.5 apk --arch x86_64 -X http://nl.alpinelinux.org/alpine/v3.5/main/ -U --allow-untrusted --root /data --initdb add alpine-base  and you should get a line like this OK: 6 MiB in 16 packages so now we have a working alpine chroot in the directory alpine35-root Creating Bootable QCoW2 Image Because I don't want to format my hard disk by mistake and because I know Murphy's law, I'll take those 6MB as tarball and continue on a VM. dd if=/d...
Read more