3 years ago

Category: Software, Security, Ubuntu, Docker, Architecture

By Fabio Kung, Sargun Dhillon, Andrew Spyker, Kyle, Rob Gulewich, Nabil Schear, Andrew Leung, Daniel Muino, and Manas Alekar The Titus platform maintains large pools of homogenous node capacity to run user workloads, and the Titus scheduler places workloads.

This is powerful in a few ways: One critical aspect of understanding how permissions work is that every namespace belongs to a specific user namespace.

According to /proc/self/status, the effective capability set of this process is empty: Now, let’s try to set up a user namespace, and see what happens: Immediately, you’ll notice the command prompt says the current user is root, and that the id command agrees.

This is because the process now has all of the capabilities that a traditional root user would have, except they are relative to the new user namespace we created: If we inspect this process from the outside, we can see that the process still runs as the unprivileged user, and the hostname in the original outside namespace hasn’t changed: From here, we can do all sorts of things, like mount filesystems, create other new namespaces, and in fact, we can create an entire container environment.