Skip to content
/ idmapfs Public

fuse filesystem which maps filesystem access based on uid/gid maps

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cpuguy83/idmapfs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
cmd/idmapfs
cmd/idmapfs
 
 
idtools
idtools
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
file.go
file.go
 
 
fs.go
fs.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

idmapfs

A fuse filesystem which maps filesystem access based on uid/gid map The purpose of idmapfs is specifically for mapping a filesystem tree (or a file I suppose) to a user namespace where a (or a set of) UID's and/or GID's are mapped to a different set of UID's and/or GID's in the user namespace.
A common example is to map an unprivileged user, e.g. UID 10000, to UID 0 in the user namespace, thus giving a user root-like privileges in the user namespace but really it's mapped to an unprivileged user.

Why?

By definition, a user namespaces (setup a particular way) makes it so that the user thinks it is accessing things as one user, but really it is another. This extends to file system access. As an example, /etc/shadow is typically only accessible by the root user. In a user namespace the user may appear to be the root user but will not have access to /etc/shadow because the real user ID is mapped to a non-root user. This is important for security isolation.

In some cases you may want to allow the user in a user namespace to access files as if they really are the user they think they are. This is not currently possible with anything available in the kernel and as such you'd have to result to chown/chmod to allow the user in the user namespace the proper access, which is generally undesirable. idmapfs enables this functionality through fuse.

Note: It is important to understand that the intention of idmapfs is to allow an administrator to pole a hole in the security that user namespaces provides by giving user(s) in the user namespace access to files they would not normally.

Build

go build ./cmd/idmapfs

Usage

Map UID/GID 0 (and only 0) to UID/GID 10000.

./idmapfs --map-uids 0:10000:1 --map-gids 0:10000:1 <source> <target>

In the map-uids/map-gids spec, the notation is <id to map from>:<mapped id range start>:<number of ids to map>

Map UID/GID's 0-1000 to 10000-11000:

./idmapfs --map-uids 0:10000:1000 --map-gids 0:10000:1000 <source> <target>

If there is a UID/GID in <source> that is not mapped, it will retain it's original ownership.

Other projects

bindfs is another project which has some similar functionality, however the scope of it is much greater and it only supports mapping a single UID/GID. idmapfs is specifically targeted at Linux user namespaces and even uses the same idmapping syntax (although it does work on MacOS). idmapfs does not and will not support other features that bindfs does like changing file permissions at mount time (chown/chmod are supported, though).

Performance

No idea yet... probably slow. There is room for optimization.

Status

This is very new and should be considered pre-alpha. It should not be considered secure or stable.

About

fuse filesystem which maps filesystem access based on uid/gid maps

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages