blob: b908c501a22539b55eb30b16676c4e4ecdb244b4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
.TH USERMNT 1 mntrun\-VERSION
.SH NAME
mntrun \- mounts binds and overlays inside an ephemeral mount namespace, and runs a command in it
.SH SYNOPSIS
.B mntrun
.RB [ \-dhv ]
.RB [ \-b
.IR "source dest" ]
.RB [[ \-o | \-m ]
.IR "lower upper workdir mountpoint" ]
.IR command
.SH DESCRIPTION
Exploits SUID to allow regular users to create overlays and binds mounts inside an ephemeral namespace, and to run
.I command
inside this new namespace. mntrun prints to stderr whenever an error occurs, but errors concerning mounts are better diagnosed using
.BR dmesg (1).
.TP
These switches are mutually exclusive and must come right after 'mntrun':
.TP
.B \-d
Enable debug logs.
.TP
.B \-h
Display usage and quit.
.TP
.B \-v
Display version and quit.
.TP
The following mount directives can appear several times:
.TP
.BI \-b " source dest"
Bind: binds
.I source
to
.IR dest .
This directive will fail if the current user does't have the permission to write to
.IR dest .
.TP
.BI \-o " lowers upper workdir mountpoint"
Overlay: overlays
.IR lowers ,
a colon-separated list of read-only directories, and a writable directory
.IR upper
onto
.IR mountpoint ,
using
.I workdir
as the working directory. This directive will fail if the current user doesn't have the permission to write to upper, workdir or mountpoint .
.TP
.BI \-m " lowers upper workir mountpoint"
Merge: like
.BR \-o ,
but
.I mountpoint
is prepended to
.IR lowers .
.TP
As mentioned, mntrun must belong to root and have SUID permission to work for regular users.
.SH AUTHORS
B. Bergeron <[email protected]>
.SH SEE ALSO
.BR mount (8),
.BR dmesg (1)
|
