Edit - Unix & Linux Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

does this work for more complicated cases? I ask because I created a namespace with unshare and used newuidmap to map the user to root with all the other common ids mapped to the ids in /etc/subuid. I then used revertuid in this namespace and it only seems to work for the user id ("0 1000 1") and not for any of the subuids ("1000 0 1\n0 1 999\n").

Compholio
– Compholio

2022-04-21 00:21:27 +00:00
Commented Apr 21, 2022 at 0:21
@Compholio newuidmap is a setuid root helper tool. This answer was written without accounting for the use of newuidmap or any privileged tool. Without external help from a privileged process, a non privileged (in the host namespace) user can only map between itself (in the current namespace) and one other user (in the new namespace). Only 1000 or 0 are of interest. Today the unshare command can do what's in this answer with --map-user= and --map-group=.

A.B
– A.B

2022-04-21 04:04:19 +00:00
Commented Apr 21, 2022 at 4:04
@Compholio Also user mapping is hierarchical: it's inherited from parent, and can only shrink in size. There's no way to "map back" anything that wasn't mapped in the parent. The initial user namespace has 2^32 uids. If the new created (with the help of newuidmap) has uid 1000 + typically uids 65536-131071 (or 100000-165535) mapped, there's no way to ever map back for example hosts' uid 1001, with or without help of any privileged process (which could grant more than newuidmap but can't anyway).

A.B
– A.B

2022-04-21 05:40:29 +00:00
Commented Apr 21, 2022 at 5:40
1

I'm not trying to map back to the host ids, I understand that is impossible. What I would like to be able to do is "drop root" but still retain all the other ids. So, step 1: make new namespace with user=root, ids 1-1000 from subuid pool; step 2: make root=user, but keep ids 1-1000 rather than map them all to nobody. (ideally I would also like to map, say, 1001 to root)

Compholio
– Compholio

2022-04-21 14:45:31 +00:00
Commented Apr 21, 2022 at 14:45
I feel like this needs a picture, hopefully this helps: dropbox.com/s/l2kjg00zi8td7q5/example.png?dl=0

Compholio
– Compholio

2022-04-21 14:54:21 +00:00
Commented Apr 21, 2022 at 14:54

| Show 1 more comment

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »