Allow only single aplication to access files on USB stick with Linux namespaces

Question

It looks like i found a way to allow only single application to access files in USB storage. This script must be run with sudo.

#!/bin/bash
# create namespace
unshare -m<<EOF
# mount device in namespace
mount -U "UUID-here" "/home/$SUDO_USER/hidden"
# run unprivileged application 
sudo -u "$SUDO_USER" application
# unmount device
umount "/home/$SUDO_USER/hidden"
EOF

Obviously automounter must not mount this device.

Is it possible for other applications (except 0day exploits) run by user to read files from namespace?

The question should be posted here https://unix.stackexchange.com/ — elsadek, May 21 '20 at 12:44

score 1 · Answer 1 · answered Apr 27 '19 at 10:00

1

Yes, other processes owned by the same user can access the files via /proc/<PID>/root.

This can be prevented by root creating a user namespace, mapping the unprivileged user, then switching to the user. These steps need to preformed by a single executable.

answered Apr 27 '19 at 10:00

Timothy Baldwin

121
1

I cant reproduce it on my script (root owns /proc/keepass_PID/root and im getting 'Permission denied'), running with sudo its a reason right? – anon432 Apr 30 '19 at 17:26

Allow only single aplication to access files on USB stick with Linux namespaces

1 Answers1