Linux Namespaces

November 23rd, 2014

Starting from kernel 2.6.24, there are 6 different types of Linux namespaces. Namespaces are useful in isolating processes from the rest of the system, without needing to use full low level virtualization technology.

  • CLONE_NEWIPC: IPC Namespaces: SystemV IPC and POSIX Message Queues can be isolated.
  • CLONE_NEWPID: PID Namespaces: PIDs are isolated, meaning that a PID inside of the namespace can conflict with a PID outside of the namespace. PIDs inside the namespace will be mapped to other PIDs outside of the namespace. The first PID inside the namespace will be ‘1’ which outside of the namespace is assigned to init
  • CLONE_NEWNET: Network Namespaces: Networking (/proc/net, IPs, interfaces and routes) are isolated. Services can be run on the same ports within namespaces, and “duplicate” virtual interfaces can be created.
  • CLONE_NEWNS: Mount Namespaces. We have the ability to isolate mount points as they appear to processes. Using mount namespaces, we can achieve similar functionality to chroot() however with improved security.
  • CLONE_NEWUTS: UTS Namespaces. This namespaces primary purpose is to isolate the hostname and NIS name.
  • CLONE_NEWUSER: User Namespaces. Here, user and group IDs are different inside and outside of namespaces and can be duplicated.

Let’s look first at the structure of a C program, required to demonstrate process namespaces. The following has been tested on Debian 6 and 7.

First, we need to allocate a page of memory on the stack, and set a pointer to the end of that memory page. We use alloca to allocate stack memory rather than malloc which would allocate memory on the heap.

void *mem = alloca(sysconf(_SC_PAGESIZE)) + sysconf(_SC_PAGESIZE);

Next, we use clone to create a child process, passing the location of our child stack ‘mem’, as well as the required flags to specify a new namespace. We specify ‘callee’ as the function to execute within the child space:


After calling clone we then wait for the child process to finish, before terminating the parent. If not, the parent execution flow will continue and terminate immediately after, clearing up the child with it:

while (waitpid(mypid, &r, 0) < 0 && errno == EINTR)

Lastly, we’ll return to the shell with the exit code of the child:

	return WEXITSTATUS(r);

Now, let’s look at the callee function:

static int callee()
	int ret;
	mount("proc", "/proc", "proc", 0, "");
	setgroups(0, NULL);
	ret = execl("/bin/bash", "/bin/bash", NULL);
	return ret;

Here, we mount a /proc filesystem, and then set the uid (User ID) and gid (Group ID) to the value of ‘u’ before spawning the /bin/bash shell.
Read the rest of this entry »

Linux Challenge Blackbox #1

October 5th, 2014

I put together a small blackbox challenge this afternoon. Download it now:

Challenge starts here

The challenge covers some Linux file manipulation, C/ASM, GDB and filesystem. Please post questions or feedback in the comments. No spoilers! If you’ve got the master password, contact me privately through the form and if you’re correct I’ll post your details here.

Update 6th Oct 14:00 GMT

I’ve received a lot of questions and clarifications. Here are some hints for the first part.. πŸ™‚

  1. Β The download file is hidden on this page. It’s not hard to find!
  2. Linux “file” command is helpful
  3. Make sure you have GDB installed and know how to use it

And for the second part…

  1. I <3 AES 256!

The final key is a 16 byte string padded out to 32 bytes.

The challenge has now been solved, and an excellent and very detailed solution posted by Reader Remi Pommarel (repk at triplefau dot lt). Here is Remi’s solution:

Spoiler Inside: Challenge Solution SelectShow

Please feel free to submit your own solutions!

Multithreaded TCP Proxy Tunnel Code

August 18th, 2013

Further to my earlier article, I went ahead and developed this application. Here’s a beta!

File: tcp_tun.c
Version: 0.3-beta
Title: TCP reassembling client-server application
Date: 17 Aug 13
Author: Adam Palmer <adam [AT] sasdataservicesΒ [DOT] com>
Read the rest of this entry »

Linux Robot – Manual Movement

May 1st, 2011

The robot’s new design also allows for better manual movement – here’s a video of the robot being manually controlled. This is all done via the TCP server and can be hooked to any TCP speaking application.

Rebuilding the Robot

May 1st, 2011

It had been a while since I’d worked on the robot, and I wanted to work on some movement algorithms. I’ve done some AI work lately on a separate project, and thought that this would help with the automated movement task. Unfortunately, the Robot had a little accident, namely falling out of the loft whilst I was bring it down. It’s been long overdue the removal of some of the excess hardware, and also needed some bugfixes that I now had no choice but to perform.
Read the rest of this entry »

Embedded Linux Programmer

January 15th, 2010

As an embedded linux programmer, I’ve had the opportunity to work on a number of different platforms, MIPS being one of my favorites.

There are a few general limitations that you’ll find. You have limited CPU power available, you have very little RAM available, and for more advanced operations and optimizations, your CPU will generally have a limited function set.

The usual good programming practices apply, but are of much greater importance. Specifically, don’t allocate memory that you don’t need, and dont put the CPU under undue stress with unnecessary or badly optimized loops. Taking C syntax and some pseudo code;
Read the rest of this entry »

Easy Reverse Engineering

November 2nd, 2009

Compiling a program doesn’t protect it or necessarily hide the source. Take the following example C program. It serves no real life purpose and should never print anything to the console:

#include <stdio.h>

int main(void)
        const char *password = "secretpassword";
        const char *otherpassword = "othersecretpassword";

        if(!strcmp(password, otherpassword))
                printf("This will never get evaluated");
        return 0;

To assemble the code using gcc -S test.c leaves test.s. The important point being that all strings remain intact:
Read the rest of this entry »

Linux C setuid setgid tutorial

October 3rd, 2009

Here’s a very brief example of how to use setuid() and setgid() functions in your C program.

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
	int current_uid = getuid();
	printf("My UID is: %d. My GID is: %dn", current_uid, getgid());
	if (setuid(0))
		return 1;
	//I am now root!
	printf("My UID is: %d. My GID is: %dn", getuid(), getgid());
	//Time to drop back to regular user privileges
	printf("My UID is: %d. My GID is: %dn", getuid(), getgid());
	return 0;

The program above should be pretty self explanatory, now:

adam@staging:~$ gcc -O2 -ggdb -o setuid setuid.c
adam@staging:~$ ls -al setuid
-rwxr-xr-x 1 adam adam 9792 2009-10-03 18:09 setuid

Read the rest of this entry »

Multithreaded Multi-Connection TCP Proxy Tunnel Update

September 4th, 2009

Further to post

I have received a report from a user experiencing the following error:
# gcc -Wall -g -O2Β Β  -o tcp_tun tcp_tun.cΒ  -lpthread
tcp_tun.c:44:37: error: getaddrinfo/getaddrinfo.h: No such file or directory
tcp_tun.c:45:37: error: getaddrinfo/getaddrinfo.c: No such file or directory

I think that this is a common error involving distros without getaddrinfo available. I have packaged up everything up with getaddrinfo and a configure/Makefile also. Please let me know your feedback.