userns-check

command
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Detects whether user namespaces are restricted by checking if getsockopt(SO_TYPE) returns EACCES when a unix socket fd is inherited by a child spawned with CLONE_NEWUSER + a UID mapping + exec.

This reproduces the exact failure path in the nerdbox shim where net.FileListener calls getsockopt(fd, SOL_SOCKET, SO_TYPE) and gets EACCES.

The exec is critical: it triggers capability recomputation. With euid != 0 in the new userns, caps drop to zero, and cross-userns socket access fails.

Exit codes: 

0  — userns NOT restricted (getsockopt succeeded)
1  — userns RESTRICTED (getsockopt got EACCES/EPERM)
2  — unexpected error
77 — skipped (running as root)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.