1

I am testing mount namespace using the following steps:

# unshare --mount
# mount --bind rootfs/ ns_dir/
# cd ns_dir/
# pivot_root . .
# cd /

My rootfs has sub-folders /lib, /bin, /etc. I have put dependencies for various binaries including bash and su.

My question relates to the use of su inside the namespace. I tried the following:

root:/# su alice
alice:/$ su bob
su: must be run from a terminal

I want to ask the meaning of the error su: must be run from a terminal. I searched online and find hackish answers like at this link which asks to the following:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

I tried the approach in this answer, but it didn't work. I want to ask what is the right way to resolve this error. I presume the error is occurring because a password needs to be entered to switch the user.

Jake
  • 1,353
  • pivot_root . . looks weird to me. Could you explain where do you want to mount the original /? – 炸鱼薯条德里克 May 04 '19 at 02:43
  • Inside the mount namespace, I want ns_dir to eventually become root. I don't want to mount the original / anywhere. This is how LXC uses pivot_root: https://github.com/lxc/lxc/blob/master/src/lxc/conf.c#L1516 – Jake May 04 '19 at 08:23
  • 2
    I think the original terminal is unreacheable in the namespace. You'd have to bind mount the original /dev/pts/ there. That doesn't mean it's the right way (security issues), just an observation. As a parallel, this happens with LXC and lxc-attach. lxc-console handles it, perhaps like the python command. – A.B May 04 '19 at 13:25
  • @A.B If you could reference any code for lxc-console that handles this, then that would be very helpful. Thank you – Jake May 06 '19 at 20:20

1 Answers1

1

What you can do is unshare with non-root inside and then use enterns without the --preserve-credentials which gives you root inside the container with which you can do the mounts.

See answer https://unix.stackexchange.com/a/767296/139357 which will be improved upon

Sam Liddicott
  • 177