document unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps trick
This commit is contained in:
parent
9726836ac4
commit
ae09a50f9d
1 changed files with 23 additions and 1 deletions
24
mmdebstrap
24
mmdebstrap
|
@ -6877,7 +6877,24 @@ Or without LXC:
|
|||
|
||||
$ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||
|
||||
Or, if you don't mind using superuser privileges and have systemd-nspawn
|
||||
Or without mmdebstrap:
|
||||
|
||||
$ unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps -- \
|
||||
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||
|
||||
The above uses C<--map-auto> to map the block of user/group ids for the
|
||||
effective user/group to a block starting at user/group ID 0. We also want to
|
||||
map the current effective user/group ID into the subuid/subgid range using
|
||||
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
|
||||
with the respective range, a "hole" will be removed from the mapping and the
|
||||
remaining uid/gid values will get shifted. Thus, we map the current effective
|
||||
user/group ID to the highest possible uid/gid, putting them at the end. Since
|
||||
that means that the user/group will be "nobody" and not "root" inside the
|
||||
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
|
||||
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
|
||||
would've had.
|
||||
|
||||
Lastly, if you don't mind using superuser privileges and have systemd-nspawn
|
||||
available and you know your subuid/subgid offset (100000 in this example):
|
||||
|
||||
$ sudo systemd-nspawn --private-users=100000 \
|
||||
|
@ -6888,6 +6905,11 @@ Instead, use something like this:
|
|||
|
||||
$ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
|
||||
|
||||
The above L<unshare(1)> command will map user and group ids into different
|
||||
ranges compared to the mapping used by B<mmdebstrap> (effectively shifting them
|
||||
one up) but it will provide the required capabilities for the removal
|
||||
operation.
|
||||
|
||||
If this mode is used as the root user, the user namespace is not unshared (but
|
||||
the mount namespace and other still are) and created directories will have
|
||||
correct ownership information. This is also useful in cases where the root user
|
||||
|
|
Loading…
Reference in a new issue