document unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps trick

This commit is contained in:
Johannes Schauer Marin Rodrigues 2024-03-23 22:50:34 +01:00
parent 9726836ac4
commit ae09a50f9d
Signed by: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -6877,7 +6877,24 @@ Or without LXC:
$ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash $ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash
Or, if you don't mind using superuser privileges and have systemd-nspawn Or without mmdebstrap:
$ unshare --map-auto --map-user=65536 --map-group=65536 --keep-caps -- \
> /usr/sbin/chroot ./debian-rootfs /bin/bash
The above uses C<--map-auto> to map the block of user/group ids for the
effective user/group to a block starting at user/group ID 0. We also want to
map the current effective user/group ID into the subuid/subgid range using
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
with the respective range, a "hole" will be removed from the mapping and the
remaining uid/gid values will get shifted. Thus, we map the current effective
user/group ID to the highest possible uid/gid, putting them at the end. Since
that means that the user/group will be "nobody" and not "root" inside the
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
would've had.
Lastly, if you don't mind using superuser privileges and have systemd-nspawn
available and you know your subuid/subgid offset (100000 in this example): available and you know your subuid/subgid offset (100000 in this example):
$ sudo systemd-nspawn --private-users=100000 \ $ sudo systemd-nspawn --private-users=100000 \
@ -6888,6 +6905,11 @@ Instead, use something like this:
$ unshare --map-root-user --map-auto rm -rf ./debian-rootfs $ unshare --map-root-user --map-auto rm -rf ./debian-rootfs
The above L<unshare(1)> command will map user and group ids into different
ranges compared to the mapping used by B<mmdebstrap> (effectively shifting them
one up) but it will provide the required capabilities for the removal
operation.
If this mode is used as the root user, the user namespace is not unshared (but If this mode is used as the root user, the user namespace is not unshared (but
the mount namespace and other still are) and created directories will have the mount namespace and other still are) and created directories will have
correct ownership information. This is also useful in cases where the root user correct ownership information. This is also useful in cases where the root user