unshare -n
February 11, 2015
A few days ago I discovered the nifty unshare
utility that’s part of Debian’s util-linux
package when trying to find a way to keep a process from connecting to the internet (without disconnecting my whole machine). Thanks, stackexchange!
If you want to keep a process from connecting to the internet, it’s a simple as running:
$ unshare -n ping google.com
Although, on Debian Wheezy, I found I needed to setuid the process with chmod +s /usr/bin/unshare
to avoid running the child process as root. This should be safe, as the man page for unshare states:
The unshare command drops potential privileges before executing the target program. This allows to setuid unshare.(see update)
It should be noted that this doesn’t make it safe to run malicious processes on your computer, as it’s not a full sandbox. It’s great for preventing accidental network connections, or in testing software failure states.
Update
Zach Wilcox informed me via email that this no longer works with modern kernels.
I’ve made a new post with some workaround ideas.
The views expressed on this site are my own and do not reflect those of my employer.