From ae09a50f9d8b924a464727418f979dbefbd18640 Mon Sep 17 00:00:00 2001
From: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Date: Sat, 23 Mar 2024 22:50:34 +0100
Subject: [PATCH] document unshare --map-auto --map-user=65536
 --map-group=65536 --keep-caps trick

---
 mmdebstrap | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/mmdebstrap b/mmdebstrap
index eea1240..3217201 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -6877,7 +6877,24 @@ Or without LXC:
 
     $ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
 
-Or, if you don't mind using superuser privileges and have systemd-nspawn
+Or without mmdebstrap:
+
+    $ unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps -- \
+    > /usr/sbin/chroot ./debian-rootfs /bin/bash
+
+The above uses C<--map-auto> to map the block of user/group ids for the
+effective user/group to a block starting at user/group ID 0. We also want to
+map the current effective user/group ID into the subuid/subgid range using
+C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
+with the respective range, a "hole" will be removed from the mapping and the
+remaining uid/gid values will get shifted. Thus, we map the current effective
+user/group ID to the highest possible uid/gid, putting them at the end. Since
+that means that the user/group will be "nobody" and not "root" inside the
+namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
+and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
+would've had.
+
+Lastly, if you don't mind using superuser privileges and have systemd-nspawn
 available and you know your subuid/subgid offset (100000 in this example):
 
     $ sudo systemd-nspawn --private-users=100000 \
@@ -6888,6 +6905,11 @@ Instead, use something like this:
 
     $ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
 
+The above L<unshare(1)> command will map user and group ids into different
+ranges compared to the mapping used by B<mmdebstrap> (effectively shifting them
+one up) but it will provide the required capabilities for the removal
+operation.
+
 If this mode is used as the root user, the user namespace is not unshared (but
 the mount namespace and other still are) and created directories will have
 correct ownership information. This is also useful in cases where the root user