> For the complete documentation index, see [llms.txt](https://0xn3va.gitbook.io/cheat-sheets/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/pid-namespace-sharing.md). # PID Namespace Sharing ## Overview PID namespace provides separation between processes. It prevents system processes from being visible and allows process IDs to be reused including PID 1. If the host's PID namespace is shared with containers, it would allow these to see all of the processes on the host system. If the PID namespace is shared it means that: * The container process no longer has PID 1. Some containers refuse to start without PID 1 (for example, containers using `systemd`) or run commands like `kill -HUP 1` to signal the container process. In Kubernetes pods with a shared process namespace, `kill -HUP 1` will signal the pod sandbox. * Host processes (or processes of containers in a pod) are visible to containers (or other containers). This includes all information visible in `/proc`, such as secrets that were passed as arguments or environment variables. These are protected only by regular Unix permissions. * Host (or container) filesystems are visible to containers (or other containers in the pod) through the `/proc/[pid]/root` link. PID namespace sharing decreases process level isolation between the host and the containers and makes possible various kinds of attacks including injection into a host's process (requires [CAP\_SYS\_PTRACE](/cheat-sheets/container/escaping/excessive-capabilities.md#cap_sys_ptrace)). ## References * [tbhaxor: Container Breakout – Part 1 (LAB: Process Injection)](https://tbhaxor.com/container-breakout-part-1/) * [#BrokenSesame: Accidental ‘write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database Services](https://www.wiz.io/blog/brokensesame-accidental-write-permissions-to-private-registry-allowed-potential-r) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://0xn3va.gitbook.io/cheat-sheets/container/escaping/pid-namespace-sharing.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.