Timeline for unshare --map-root-user switch to original uid/username after setup
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 27, 2022 at 22:52 | comment | added | Compholio |
Interestingly, I can get this to work like I expect from the parent process by echoing the desired mapping to /proc/$ID/uid_map instead of using /proc/self/uid_map in the child process or doing the same with the custom "revertuid".
|
|
| Apr 21, 2022 at 14:54 | comment | added | Compholio | I feel like this needs a picture, hopefully this helps: dropbox.com/s/l2kjg00zi8td7q5/example.png?dl=0 | |
| Apr 21, 2022 at 14:45 | comment | added | Compholio | I'm not trying to map back to the host ids, I understand that is impossible. What I would like to be able to do is "drop root" but still retain all the other ids. So, step 1: make new namespace with user=root, ids 1-1000 from subuid pool; step 2: make root=user, but keep ids 1-1000 rather than map them all to nobody. (ideally I would also like to map, say, 1001 to root) | |
| Apr 21, 2022 at 5:40 | comment | added | A.B | @Compholio Also user mapping is hierarchical: it's inherited from parent, and can only shrink in size. There's no way to "map back" anything that wasn't mapped in the parent. The initial user namespace has 2^32 uids. If the new created (with the help of newuidmap) has uid 1000 + typically uids 65536-131071 (or 100000-165535) mapped, there's no way to ever map back for example hosts' uid 1001, with or without help of any privileged process (which could grant more than newuidmap but can't anyway). | |
| Apr 21, 2022 at 4:04 | comment | added | A.B |
@Compholio newuidmap is a setuid root helper tool. This answer was written without accounting for the use of newuidmap or any privileged tool. Without external help from a privileged process, a non privileged (in the host namespace) user can only map between itself (in the current namespace) and one other user (in the new namespace). Only 1000 or 0 are of interest. Today the unshare command can do what's in this answer with --map-user= and --map-group=.
|
|
| Apr 21, 2022 at 0:21 | comment | added | Compholio | does this work for more complicated cases? I ask because I created a namespace with unshare and used newuidmap to map the user to root with all the other common ids mapped to the ids in /etc/subuid. I then used revertuid in this namespace and it only seems to work for the user id ("0 1000 1") and not for any of the subuids ("1000 0 1\n0 1 999\n"). | |
| Jul 20, 2018 at 11:32 | history | edited | A.B | CC BY-SA 4.0 |
added probable cause of change of behaviour (Linux 3.19) in answer
|
| Jul 20, 2018 at 11:11 | history | answered | A.B | CC BY-SA 4.0 |
