|
|
|
@ -6877,7 +6877,24 @@ Or without LXC:
|
|
|
|
|
|
|
|
|
|
$ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
|
|
|
|
|
|
|
|
|
|
Or, if you don't mind using superuser privileges and have systemd-nspawn
|
|
|
|
|
Or without mmdebstrap:
|
|
|
|
|
|
|
|
|
|
$ unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps -- \
|
|
|
|
|
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
|
|
|
|
|
|
|
|
|
The above uses C<--map-auto> to map the block of user/group ids for the
|
|
|
|
|
effective user/group to a block starting at user/group ID 0. We also want to
|
|
|
|
|
map the current effective user/group ID into the subuid/subgid range using
|
|
|
|
|
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
|
|
|
|
|
with the respective range, a "hole" will be removed from the mapping and the
|
|
|
|
|
remaining uid/gid values will get shifted. Thus, we map the current effective
|
|
|
|
|
user/group ID to the highest possible uid/gid, putting them at the end. Since
|
|
|
|
|
that means that the user/group will be "nobody" and not "root" inside the
|
|
|
|
|
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
|
|
|
|
|
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
|
|
|
|
|
would've had.
|
|
|
|
|
|
|
|
|
|
Lastly, if you don't mind using superuser privileges and have systemd-nspawn
|
|
|
|
|
available and you know your subuid/subgid offset (100000 in this example):
|
|
|
|
|
|
|
|
|
|
$ sudo systemd-nspawn --private-users=100000 \
|
|
|
|
@ -6888,6 +6905,11 @@ Instead, use something like this:
|
|
|
|
|
|
|
|
|
|
$ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
|
|
|
|
|
|
|
|
|
|
The above L<unshare(1)> command will map user and group ids into different
|
|
|
|
|
ranges compared to the mapping used by B<mmdebstrap> (effectively shifting them
|
|
|
|
|
one up) but it will provide the required capabilities for the removal
|
|
|
|
|
operation.
|
|
|
|
|
|
|
|
|
|
If this mode is used as the root user, the user namespace is not unshared (but
|
|
|
|
|
the mount namespace and other still are) and created directories will have
|
|
|
|
|
correct ownership information. This is also useful in cases where the root user
|
|
|
|
|