Re: Variant symlink filesystem

[David Lang]

On Sat, 12 Mar 2016, Cole wrote:

> On 12 March 2016 at 00:24, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> > On Sat, Mar 12, 2016 at 12:03:11AM +0200, Cole wrote:
> >
> > > This was one of the first solutions we looked at, and using various
> > > namespaces. However we would like to be able to have multiple terminal
> > > sessions open, and be able to have each session using a different
> > > mount point, or be able to use the other terminals mount point, i.e.
> > > switching the mount point to that of the other terminals. We would
> > > also like the shell to be able to make use of these, and use shell
> > > commands such as 'ls'.
> > >
> > > When we originally looked at namespaces and containers, we could not
> > > find a solution to achieve the above. Is this possible using
> > > namespaces?
> >
> > I'd try to look at setns(2) if you want processes joinging existing namespaces.
> > I'm afraid that I'll need to get some sleep before I'll be up to asking
> > the right questions for figuring out what requirements do you have and
> > what's the best way to do it - after a while coffee stops being efficient
> > and I'm already several hours past that ;-/
>
>
> Sure, not a problem, when you have time to reply I will gladly welcome
> any feed back.
>
> As for the usage, I'll explain it a bit so that you have something to
> work off of when you get a chance to read it.
>
> The problem we encountered with namespaces when we looked at it more
> than a year ago was 'how do you get the shell' to join them, or into
> one. And also how do you move the shell in one terminal session into a
> namespace that another shell is currently in. We wanted a solution
> that doesn't require modifying existing programs to make them
> namespace aware. However, as I said, this was more than a year ago
> that we looked at it, and we could easily have misunderstood
> something, or not understood the full functionality available. If you
> say this is possible, without modifying programs such as bash, could
> you please point me in the direction of the documentation describing
> this, and I will try to educate myself.

looking at the setns() function, it seems like you could have a suid helper 
program that you run in one session that changes the namespace and then invokes 
a bash shell in that namespace that you then run unmodified stuff in.

it seems like there should be a way for a root program to change the namespace 
of another, but I'm not finding it at the moment.

There is the nsenter program that will run a program inside an existing 
namespace. It looks like you need something similar that implements some 
permission checking (only let you go into namespaces of other programs for the 
same user or similar), but you should be able to make proof-of-concept scripts 
with nsenter.

David Lang