forked from josch/mmdebstrap
mmdebstrap: fix perltidy formatting
This commit is contained in:
parent
37678c4fb5
commit
500b0d2512
1 changed files with 25 additions and 9 deletions
34
mmdebstrap
34
mmdebstrap
|
@ -4293,8 +4293,8 @@ sub get_sourceslist_by_suite {
|
|||
# the security mirror changes, starting with bullseye
|
||||
# https://lists.debian.org/87r26wqr2a.fsf@43-1.org
|
||||
my $bullseye_or_later = 0;
|
||||
if (any { $_ eq $suite } ('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie'))
|
||||
{
|
||||
if (any { $_ eq $suite }
|
||||
('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie')) {
|
||||
$bullseye_or_later = 1;
|
||||
}
|
||||
my $distro_info = '/usr/share/distro-info/debian.csv';
|
||||
|
@ -6973,13 +6973,29 @@ The above uses C<--map-auto> to map the block of user/group ids for the
|
|||
effective user/group to a block starting at user/group ID 0. We also want to
|
||||
map the current effective user/group ID into the subuid/subgid range using
|
||||
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
|
||||
with the respective range, a "hole" will be removed from the mapping and the
|
||||
remaining uid/gid values will get shifted. Thus, we map the current effective
|
||||
user/group ID to the highest possible uid/gid, putting them at the end. Since
|
||||
that means that the user/group will be "nobody" and not "root" inside the
|
||||
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set
|
||||
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it
|
||||
would've had.
|
||||
with the respective range, a "hole" will be removed from the mapping by the
|
||||
L<unshare(1)> utility and the remaining uid/gid values will get shifted. Thus,
|
||||
we map the current effective user/group ID to the highest possible uid/gid,
|
||||
putting them at the end. Since that means that the user/group will be "nobody"
|
||||
and not "root" inside the namespace, C<--keep-caps> propagate permitted
|
||||
capabilities into the ambient set and thus give the user C<CAP_DAC_OVERRIDE>
|
||||
and other capabilities that it would've had. The following does B<NOT> work:
|
||||
|
||||
$ unshare --map-root-user --map-auto ... # or equavalient:
|
||||
$ unshare --map-user=0 --map-group=0 --map-users=auto --map-groups=auto ...
|
||||
|
||||
Using the format of L<lxc-usernsexec(1)>, these options will result in the
|
||||
following mapping:
|
||||
|
||||
0:$UID:1 + 1:$SUBUIDBASE:65535
|
||||
|
||||
So a hole is punched in the automatically mapped range at the very beginning to
|
||||
make space for the user id of the current user as root inside the namespace and
|
||||
the remaining uids are shifted. With C<--map-user=65536> the mapping is as
|
||||
follows and places the current user at the end of the range, preventing any
|
||||
shifting:
|
||||
|
||||
0:$SUBUIDBASE:65536 + 65536:$UID:1
|
||||
|
||||
Lastly, if you don't mind using superuser privileges and have systemd-nspawn
|
||||
available and you know your subuid/subgid offset (100000 in this example):
|
||||
|
|
Loading…
Reference in a new issue