Created
October 22, 2020 14:52
-
-
Save damex/60226226c1c65d10978d7aa123ee348a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(gdb) run dnsmasq -u -l -r /dev/null -r /dev/urandom -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -r /sbin/hotplug-call -w /tmp/dhcp.leases -r /tmp/dnsmasq.d -r /tmp/hosts/dhcp.cfg01411c -r /tmp/resolv.conf.d -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid | |
Starting program: /sbin/ujail dnsmasq -u -l -r /dev/null -r /dev/urandom -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -r /sbin/hotplug-call -w /tmp/dhcp.leases -r /tmp/dnsmasq.d -r /tmp/hosts/dhcp.cfg01411c -r /tmp/resolv.conf.d -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid | |
warning: Unable to find dynamic linker breakpoint function. | |
GDB will be unable to debug shared library initializers | |
and track explicitly loaded dynamic code. | |
jail: Not using namespaces, capabilities or seccomp !!! | |
ujail <options> -- <binary> <params ...> | |
-d <num> show debug log (increase num to increase verbosity) | |
-S <file> seccomp filter config | |
-C <file> capabilities drop config | |
-c set PR_SET_NO_NEW_PRIVS | |
-n <name> the name of the jail | |
namespace jail options: | |
-h <hostname> change the hostname of the jail | |
-N jail has network namespace | |
-f jail has user namespace | |
-F jail has cgroups namespace | |
-r <file> readonly files that should be staged | |
-w <file> writeable files that should be staged | |
-p jail has /proc | |
-s jail has /sys | |
-l jail has /dev/log | |
-u jail has a ubus socket | |
-U <name> user to run jailed process | |
-G <name> group to run jailed process | |
-o remont jail root (/) read only | |
-R <dir> external jail rootfs (system container) | |
-O <dir> directory for r/w overlayfs | |
-T <size> use tmpfs r/w overlayfs with <size> | |
-E fail if jail cannot be setup | |
-y provide jail console | |
-J <dir> create container from OCI bundle | |
-j start container immediately | |
Warning: by default root inside the jail is the same | |
and he has the same powers as root outside the jail, | |
thus he can escape the jail and/or break stuff. | |
Please use seccomp/capabilities (-S/-C) to restrict his powers | |
If you use none of the namespace jail options, | |
ujail will not use namespace/build a jail, | |
and will only drop capabilities/apply seccomp filter. | |
[Inferior 1 (process 2057) exited with code 01] | |
(gdb) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment