unshare -n

February 11, 2015

A few days ago I discovered the nifty unshare utility that’s part of Debian’s util-linux package when trying to find a way to keep a process from connecting to the internet (without disconnecting my whole machine). Thanks, stackexchange!

If you want to keep a process from connecting to the internet, it’s a simple as running:

$ unshare -n ping google.com

Although, on Debian Wheezy, I found I needed to setuid the process with chmod +s /usr/bin/unshare to avoid running the child process as root. This should be safe, as the man page for unshare states:

The unshare command drops potential privileges before executing the target program. This allows to setuid unshare. (see update)

It should be noted that this doesn’t make it safe to run malicious processes on your computer, as it’s not a full sandbox. It’s great for preventing accidental network connections, or in testing software failure states.

Update

Zach Wilcox informed me via email that this no longer works with modern kernels.

I’ve made a new post with some workaround ideas.