I'm trying to understand whether it's possible to map two users from a user namespace to two different users on the host.
The goal is to replicate the same permissions I have on my host inside a rootfs (ubuntuUbuntu base, because i'mI'm trying to build a container from scratch).
For example:
- Everything under
/should belong toroot. /home/usershould belong to the regularuser.
To achieve this, I was thinking of using UID mapping in a user namespace, something like:
UID in user namespace ---> UID on host
1000 (admin) -> 0 (root)
1001 (bob) -> 1001 (bob)
Is this kind of mapping even possible?
Here’s what I’ve already tried:
- Running
echo -e "1000 0 1\n1001 1001 1" > /proc/[PID]/uid_mapto define the mapping, but I get an error. - Trying to manually modify
/proc/[PID]/uid_mapusingnewuidmapfor each user.
However, I’ve never been able to map more than one user, and I can’t seem to map UID 0 (root) at all.
Update:
I’ve read the man pages and followed the constraints mentioned there, but I’m still getting error messages.
For example:
# terminal 1
unshare --user bash
echo $$ # 11591
# terminal 2 as user 'alex' (uid = 1000)
newuidmap 11591 0 0 1
# newuidmap: uid range [0-1) -> [0-1) not allowed
newuidmap 11591 1001 1001 1
# newuidmap: uid range [1001-1002) -> [1001-1002) not allowed
These commands fail, even when run with sudo.
I also tried mapping to subuids that I’ve declared, but it still doesn’t work:
cat /etc/subuid
alex:100000:65536
root:200000:65536
self:300000:65536
cat /etc/subgid
alex:100000:65536
root:200000:65536
self:300000:65536
