Mount Namespace
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
Basic Information
A mount namespace is a Linux kernel feature that provides isolation of the file system mount points seen by a group of processes. Each mount namespace has its own set of file system mount points, and changes to the mount points in one namespace do not affect other namespaces. This means that processes running in different mount namespaces can have different views of the file system hierarchy.
Mount namespaces are particularly useful in containerization, where each container should have its own file system and configuration, isolated from other containers and the host system.
How it works:
When a new mount namespace is created, it is initialized with a copy of the mount points from its parent namespace. This means that, at creation, the new namespace shares the same view of the file system as its parent. However, any subsequent changes to the mount points within the namespace will not affect the parent or other namespaces.
When a process modifies a mount point within its namespace, such as mounting or unmounting a file system, the change is local to that namespace and does not affect other namespaces. This allows each namespace to have its own independent file system hierarchy.
Processes can move between namespaces using the
setns()
system call, or create new namespaces using theunshare()
orclone()
system calls with theCLONE_NEWNS
flag. When a process moves to a new namespace or creates one, it will start using the mount points associated with that namespace.File descriptors and inodes are shared across namespaces, meaning that if a process in one namespace has an open file descriptor pointing to a file, it can pass that file descriptor to a process in another namespace, and both processes will access the same file. However, the file's path may not be the same in both namespaces due to differences in mount points.
Lab:
Create different Namespaces
CLI
sudo unshare -m [--mount-proc] /bin/bash
By mounting a new instance of the /proc
filesystem if you use the param --mount-proc
, you ensure that the new mount namespace has an accurate and isolated view of the process information specific to that namespace.
Docker
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
Check which namespace is your process in
ls -l /proc/self/ns/mnt
lrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/mnt -> 'mnt:[4026531841]'
Find all Mount namespaces
sudo find /proc -maxdepth 3 -type l -name mnt -exec readlink {} \; 2>/dev/null | sort -u
# Find the processes with an specific namespace
sudo find /proc -maxdepth 3 -type l -name mnt -exec ls -l {} \; 2>/dev/null | grep <ns-number>
findmnt
Enter inside a Mount namespace
nsenter -m TARGET_PID --pid /bin/bash
Also, you can only enter in another process namespace if you are root. And you cannot enter in other namespace without a descriptor pointing to it (like /proc/self/ns/mnt
).
Because new mounts are only accessible within the namespace it's possible that a namespace contains sensitive information that can only be accessible from it.
Mount something
# Generate new mount ns
unshare -m /bin/bash
mkdir /tmp/mount_ns_example
mount -t tmpfs tmpfs /tmp/mount_ns_example
mount | grep tmpfs # "tmpfs on /tmp/mount_ns_example"
echo test > /tmp/mount_ns_example/test
ls /tmp/mount_ns_example/test # Exists
# From the host
mount | grep tmpfs # Cannot see "tmpfs on /tmp/mount_ns_example"
ls /tmp/mount_ns_example/test # Doesn't exist
# findmnt # List existing mounts
TARGET SOURCE FSTYPE OPTIONS
/ /dev/mapper/web05--vg-root
# unshare --mount # run a shell in a new mount namespace
# mount --bind /usr/bin/ /mnt/
# ls /mnt/cp
/mnt/cp
# exit # exit the shell, and hence the mount namespace
# ls /mnt/cp
ls: cannot access '/mnt/cp': No such file or directory
## Notice there's different files in /tmp
# ls /tmp
revshell.elf
# ls /mnt/tmp
krb5cc_75401103_X5yEyy
systemd-private-3d87c249e8a84451994ad692609cd4b6-apache2.service-77w9dT
systemd-private-3d87c249e8a84451994ad692609cd4b6-systemd-resolved.service-RnMUhT
systemd-private-3d87c249e8a84451994ad692609cd4b6-systemd-timesyncd.service-FAnDql
vmware-root_662-2689143848
References
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
Last updated