As a normal user:
whack-run is intended to be used with whack, although you're welcome to use it for other purposes. You can invoke whack-run like so:
whack-run <apps-dir> <app> <args>
/usr/local/whack in a private mount namespace,
and then runs
<app> with arguments
Since whack-run uses
mount, whack-run has the
setuid bit set.
It drops these privileges before invoking the specified application.
unshare(CLONE_NEWNS)creates a private mount namespace. This means that any future
mountcalls in the process only affect that process.
/usr/local/whackis created if it doesn't already exist.
Any existing mount at
/usr/local/whackis unmounted. To see why not doing so could be problematic, consider if we run
root-parent, which then runs
script-childstarts a long-running daemon, then we can't remove the directory
root-parentsince it contains the mount point for
setuidprivileges are dropped.
execis used to invoke the specified application.
The below is intended to show how whack-run works. For an actual use case, take a look at whack.
$ mkdir -p example $ echo -n 'Hello ' > example/message $ echo '#!/usr/bin/env sh' > example/greet $ echo 'cat /usr/local/whack/message' >> example/greet $ echo 'echo $1' >> example/greet $ chmod +x example/greet $ whack-run example /usr/local/whack/greet Bob Hello Bob