Fork me on GitHub

plash sudo

Usage

plash sudo [CMD1 [CMD2 ..]]

Description

Setup a Linux user namespace. Then run the specified commands there. The
default command is the default user shell.

This is useful to access files written to disk by a container, when they
where written by a non-root user (from the containers perspective). It can
also be used as a general purpose utility to "fake" root access.

Tested Behaviour

#!/bin/bash

set -eux

• user inside plash sudo is root 

test $(plash sudo id -u) = 0

• no arguments gives shell 

test "$(echo 'echo itsbash' | plash sudo)" = 'itsbash'

• unknown command 

set +e

out=$(plash sudo cmdnotfound 2>&1)

set -e

[[ "$out" = *'No such file or directory'* ]]

[[ "$out" = *'cmdnotfound'* ]]

• different user and mount namespace 

test ! "$(readlink /proc/self/ns/{mnt,user})" = "$(plash sudo readlink /proc/self/ns/{mnt,user})"

• same other mount namespaces 

test "$(readlink /proc/self/ns/{cgroup,ipc,net,pid,uts})" = "$(plash sudo readlink /proc/self/ns/{cgroup,ipc,net,pid,uts})"

Source Code


#define USAGE "usage: plash sudo [CMD1 [CMD2 ..]]\n"

#include <pwd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#include <plash.h>

int sudo_main(int argc, char *argv[]) {
  struct passwd *pw = getpwuid(getuid());
  pl_unshare_user();
  pl_unshare_mount();
  char *default_shell = pw ? pw->pw_shell : "/bin/sh";
  if (argc <= 1) {
    execlp(default_shell, default_shell, NULL);
  } else {
    execvp(argv[1], argv + 1);
  }
  pl_fatal("could not exec \"%s\"", argv[1]);
  return EXIT_FAILURE;
}