5.8 KiB
Time Namespace
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
The time namespace allows for per-namespace offsets to the system monotonic and boot-time clocks. The time namespace is suited for Linux containers usage for allowing the date/time to be changed within a container and for adjusting clocks within a container following restoration from a checkpoint/snapshot.
Lab:
Create different Namespaces
CLI
sudo unshare -T [--mount-proc] /bin/bash
By mounting a new instance of the /proc
filesystem if you use the param --mount-proc
, you ensure that the new mount namespace has an accurate and isolated view of the process information specific to that namespace.
Error: bash: fork: Cannot allocate memory
When unshare
is executed without the -f
option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below:
-
Problem Explanation:
- The Linux kernel allows a process to create new namespaces using the
unshare
system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - Running
%unshare -p /bin/bash%
starts/bin/bash
in the same process asunshare
. Consequently,/bin/bash
and its child processes are in the original PID namespace. - The first child process of
/bin/bash
in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace.
- The Linux kernel allows a process to create new namespaces using the
-
Consequence:
- The exit of PID 1 in a new namespace leads to the cleaning of the
PIDNS_HASH_ADDING
flag. This results in thealloc_pid
function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error.
- The exit of PID 1 in a new namespace leads to the cleaning of the
-
Solution:
- The issue can be resolved by using the
-f
option withunshare
. This option makesunshare
fork a new process after creating the new PID namespace. - Executing
%unshare -fp /bin/bash%
ensures that theunshare
command itself becomes PID 1 in the new namespace./bin/bash
and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation.
- The issue can be resolved by using the
By ensuring that unshare
runs with the -f
flag, the new PID namespace is correctly maintained, allowing /bin/bash
and its sub-processes to operate without encountering the memory allocation error.
Docker
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
Check which namespace is your process in
ls -l /proc/self/ns/time
lrwxrwxrwx 1 root root 0 Apr 4 21:16 /proc/self/ns/time -> 'time:[4026531834]'
Find all Time namespaces
{% code overflow="wrap" %}
sudo find /proc -maxdepth 3 -type l -name time -exec readlink {} \; 2>/dev/null | sort -u
# Find the processes with an specific namespace
sudo find /proc -maxdepth 3 -type l -name time -exec ls -l {} \; 2>/dev/null | grep <ns-number>
{% endcode %}
Enter inside a Time namespace
nsenter -T TARGET_PID --pid /bin/bash
Also, you can only enter in another process namespace if you are root. And you cannot enter in other namespace without a descriptor pointing to it (like /proc/self/ns/net
).
References
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.