document unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps trick
This commit is contained in:
parent
9726836ac4
commit
ae09a50f9d
1 changed files with 23 additions and 1 deletions
24
mmdebstrap
24
mmdebstrap
|
@ -6877,7 +6877,24 @@ Or without LXC:
|
||||||
|
|
||||||
$ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
|
$ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||||
|
|
||||||
Or, if you don't mind using superuser privileges and have systemd-nspawn
|
Or without mmdebstrap:
|
||||||
|
|
||||||
|
$ unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps -- \
|
||||||
|
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||||
|
|
||||||
|
The above uses C<--map-auto> to map the block of user/group ids for the
|
||||||
|
effective user/group to a block starting at user/group ID 0. We also want to
|
||||||
|
map the current effective user/group ID into the subuid/subgid range using
|
||||||
|
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
|
||||||
|
with the respective range, a "hole" will be removed from the mapping and the
|
||||||
|
remaining uid/gid values will get shifted. Thus, we map the current effective
|
||||||
|
user/group ID to the highest possible uid/gid, putting them at the end. Since
|
||||||
|
that means that the user/group will be "nobody" and not "root" inside the
|
||||||
|
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
|
||||||
|
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
|
||||||
|
would've had.
|
||||||
|
|
||||||
|
Lastly, if you don't mind using superuser privileges and have systemd-nspawn
|
||||||
available and you know your subuid/subgid offset (100000 in this example):
|
available and you know your subuid/subgid offset (100000 in this example):
|
||||||
|
|
||||||
$ sudo systemd-nspawn --private-users=100000 \
|
$ sudo systemd-nspawn --private-users=100000 \
|
||||||
|
@ -6888,6 +6905,11 @@ Instead, use something like this:
|
||||||
|
|
||||||
$ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
|
$ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
|
||||||
|
|
||||||
|
The above L<unshare(1)> command will map user and group ids into different
|
||||||
|
ranges compared to the mapping used by B<mmdebstrap> (effectively shifting them
|
||||||
|
one up) but it will provide the required capabilities for the removal
|
||||||
|
operation.
|
||||||
|
|
||||||
If this mode is used as the root user, the user namespace is not unshared (but
|
If this mode is used as the root user, the user namespace is not unshared (but
|
||||||
the mount namespace and other still are) and created directories will have
|
the mount namespace and other still are) and created directories will have
|
||||||
correct ownership information. This is also useful in cases where the root user
|
correct ownership information. This is also useful in cases where the root user
|
||||||
|
|
Loading…
Reference in a new issue