diff --git a/mmdebstrap b/mmdebstrap index 01d4a28..903cb19 100755 --- a/mmdebstrap +++ b/mmdebstrap @@ -4293,8 +4293,8 @@ sub get_sourceslist_by_suite { # the security mirror changes, starting with bullseye # https://lists.debian.org/87r26wqr2a.fsf@43-1.org my $bullseye_or_later = 0; - if (any { $_ eq $suite } ('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie')) - { + if (any { $_ eq $suite } + ('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie')) { $bullseye_or_later = 1; } my $distro_info = '/usr/share/distro-info/debian.csv'; @@ -6973,13 +6973,29 @@ The above uses C<--map-auto> to map the block of user/group ids for the effective user/group to a block starting at user/group ID 0. We also want to map the current effective user/group ID into the subuid/subgid range using C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps -with the respective range, a "hole" will be removed from the mapping and the -remaining uid/gid values will get shifted. Thus, we map the current effective -user/group ID to the highest possible uid/gid, putting them at the end. Since -that means that the user/group will be "nobody" and not "root" inside the -namespace, C<--keep-caps> propagate permitted capabilities into the ambient set -and thus give the user C and other capabilities that it -would've had. +with the respective range, a "hole" will be removed from the mapping by the +L utility and the remaining uid/gid values will get shifted. Thus, +we map the current effective user/group ID to the highest possible uid/gid, +putting them at the end. Since that means that the user/group will be "nobody" +and not "root" inside the namespace, C<--keep-caps> propagate permitted +capabilities into the ambient set and thus give the user C +and other capabilities that it would've had. The following does B work: + + $ unshare --map-root-user --map-auto ... # or equavalient: + $ unshare --map-user=0 --map-group=0 --map-users=auto --map-groups=auto ... + +Using the format of L, these options will result in the +following mapping: + + 0:$UID:1 + 1:$SUBUIDBASE:65535 + +So a hole is punched in the automatically mapped range at the very beginning to +make space for the user id of the current user as root inside the namespace and +the remaining uids are shifted. With C<--map-user=65536> the mapping is as +follows and places the current user at the end of the range, preventing any +shifting: + + 0:$SUBUIDBASE:65536 + 65536:$UID:1 Lastly, if you don't mind using superuser privileges and have systemd-nspawn available and you know your subuid/subgid offset (100000 in this example):