-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for user and group ID mappings #468
Comments
Any movement on this? I've been exploring bubblewrap for a sandboxed build env and seem to also need this feature for chown purposes. |
If you want to propose an implementation, that would be the most likely way to get this feature. Note that bubblewrap is setuid root on some systems, so any new feature would have to be implemented in a way that does not create a security vulnerability - either by implementing it in a way that is safe for a setuid bubblewrap, or by automatically disabling the feature when setuid. |
Fair enough, and thanks for the reply. I've only started experimenting with the project on an Ubuntu system, without setuid. So I am not familiar with the code or an approach to an implementation yet. |
It turns out that the example demos/userns-block-fd.py got me where I needed, since it provides the hooks into running |
I'm also interested in (non-)fakeroot within containers. I'm imagining something like
So that inside the container we have two levels of security. The inside container "root" could install packages, but the inside container "1000" user cannot manipulate the inside container "root" files. And outside the container 1000 maps to 1000 as usual, and "root" to 10000 which is still unprivileged. @justinfx I'm curious where you got to with the demos/userns-block-fd.py demo code. Did you manage to map to any uid/gid other than the current user/group (e.g. 1000)? I can't get it to work with a loweruid other than 1000. In the demo code we set
and inside the container we appear as uid 0 (root) which maps to 1000 (current user) outside the container. I can change the "0" to any number and it seems to work. But I cannot change the 2nd last arg to map to anything other than 1000 (eg 10000+ which should be valid per /etc/subuid) or I get the same error mentioned in #518 |
If bwrap is not setuid root, then there are severe restrictions on the uid/gid mapping that the kernel will allow it to create (see The only reason why Inside a bwrap sandbox, the setuid bit on If bwrap does not do what you want, then using (or writing) a different tool that is not bwrap is always an option. |
@digitalsignalperson it's been almost 2 years since I had been playing in this space, so I had to review my prototype code. I was able to get what I needed from the demo code, with the difference being that I was only trying to ever map to the same internal and external uid and gid. And for the |
FWIW $ unshare -r --map-users=auto bwrap --dev-bind / / cat /proc/self/uid_map
0 1000 1
1 100000 65536 |
Cool thanks for all the insightful responses! @rusty-snake working off your example I was able to get
For other bwrap args, we can't use
And here's the mapping like I was originally going for:
Without Now with
Ah that |
If this was possible, then that would be a security vulnerability in something. The kernel is intentionally imposing a security restriction. Provisioning the host subuid and subgid files, in conjunction with the setuid If some component allowed unprivileged users to bypass the security restriction without the sysadmin's consent, then that would imply that there is a security vulnerability somewhere in the stack, either an implementation vulnerability or a design flaw. I would recommend that you do not spend your valuable time on constructing something that we would have to reject because it would be a security vulnerability.
It is not possible to do this in an unprivileged user namespace, because that would require uid 1000 and uid 0 to both exist inside your sandbox, and user namespaces created without using root privileges are not allowed to do that. If you want to have more than one uid inside a container created by an unprivileged user, then you need something that uses subuid/newuidmap to use a sysadmin-approved uid range, such as Podman or Incus. If you are talking about "using sudo" and "installing packages" then bwrap is probably the wrong tool for what you are aiming to achieve, and you would probably be better off using Podman or Incus anyway. |
Or, if you insist on not using something like Podman or Incus, you could construct your own elaborate containerization solution using |
Is it possible for bwrap to call |
Technically yes, but I doubt that such a feature will ever get accepted. Furthermore you can already do this by wrapping bwrap in a userns create by unshare, using Nevermind, you will not get |
Here's a full demo that I think is the opposite of these assertions. This example shows at least one way Let's do the whole experiment in a clean VM from scratch since we'll be copying/chowning the contents of
Inside this VM bash, setup: pacman -S bubblewrap --noconfirm
# Add user 1k (uid/gid=1000) and user 100k (uid/gid=100000)
groupadd -g 1000 1k
useradd -m 1k -u 1000 -g 1000
groupadd -g 100000 100k
useradd -m 100k -u 100000 -g 100000
# set uid/gid mappings
echo "1k:100000:65536" > /etc/subuid
echo "1k:100000:65536" > /etc/subgid
# allow uid 1000 for sudo
echo "1k ALL=(ALL) ALL" > "/etc/sudoers.d/10-1k"
# set a password for uid 1000
echo "1k:1k" | chpasswd
# set up our experiment: make a copy of /etc owned by user 100k
mkdir /tmp/fakeroot
cp -r /etc /tmp/fakeroot
chown -R 100k:100k /tmp/fakeroot/etc So if we bind this Now change user to 1k to start our experiment. I'll show the full terminal output for clarity of switching users
still inside bwrap, now let's sudo to user 1k
That works. Now try to sudo back to root
no dice. exit back to root
here's the files we created from this perspective
and now exit back to the VM and look at the same files
In summary:
|
Hi, I'm running into the same error as well
If I were to patch this (for academic purposes) so that I wouldn't have to need elevated privileges to make this work, where do you think should I start looking? I would appreciate it if you can let me know where I can start my research at. Many thanks |
Add options
--uid-map
and--gid-map
to map multiple users between child and parent namespace:bwrap --uid-map '<uid_in_child_ns> <loweruid_in_parent_ns> <count> ...' ...
Relying on shadow
newuidmap
utility, or implementing the same whitelisting logic from /etc/subuid (/etc/subgid).This would allow for (non-fakeroot) chown calls in build containers.
Recently added in util-linux as
unshare --map-users=...
.The text was updated successfully, but these errors were encountered: