Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

README.md

whack-run

whack-run is a small binary used as part of whack. To read more about why whack-run is necessary to use whack, read the section How does Whack work?.

Installation

As a normal user:

make

As root:

make install

Usage

whack-run is intended to be used with whack, although you're welcome to use it for other purposes. You can invoke whack-run like so:

whack-run <apps-dir> <app> <args>

Roughly speaking, this mounts <apps-dir> to /usr/local/whack in a private mount namespace, and then runs <app> with arguments <args>. Since whack-run uses unshare and mount, whack-run has the setuid bit set. It drops these privileges before invoking the specified application.

More precisely:

  1. unshare(CLONE_NEWNS) creates a private mount namespace. This means that any future mount calls in the process only affect that process.

  2. The directory /usr/local/whack is created if it doesn't already exist.

  3. Any existing mount at /usr/local/whack is unmounted. To see why not doing so could be problematic, consider if we run script-parent under root-parent, which then runs script-child under root-child. If script-child starts a long-running daemon, then we can't remove the directory root-parent since it contains the mount point for root-child.

  4. setuid privileges are dropped.

  5. exec is used to invoke the specified application.

Example

The below is intended to show how whack-run works. For an actual use case, take a look at whack.

$ mkdir -p example
$ echo -n 'Hello ' > example/message
$ echo '#!/usr/bin/env sh' > example/greet
$ echo 'cat /usr/local/whack/message' >> example/greet
$ echo 'echo $1' >> example/greet
$ chmod +x example/greet
$ whack-run example /usr/local/whack/greet Bob
Hello Bob
Something went wrong with that request. Please try again.