lxc-attach uses the .bash_history file from the user

[baptx]

Required information

• Distribution: Debian
• Distribution version: 12
• The output of
  • lxc-start --version
5.0.2
  • lxc-checkconfig

LXC version 5.0.2
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-6.1.0-18-amd64

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points: 
Cgroup v2 mount points: 
 - /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
                                                                                                                                                                                                                  
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

• uname -a
Linux debian 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
• cat /proc/self/cgroup
0::/user.slice/user-1000.slice/session-3.scope
• cat /proc/1/mounts

sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,nosuid,relatime,size=16315612k,nr_inodes=4078903,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=3270220k,mode=755,inode64 0 0
/dev/nvme0n1p3 / ext4 rw,relatime,errors=remount-ro 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev,inode64 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=1810 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
ramfs /run/credentials/systemd-sysusers.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
ramfs /run/credentials/systemd-sysctl.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
ramfs /run/credentials/systemd-tmpfiles-setup-dev.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
ramfs /run/credentials/systemd-tmpfiles-setup.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=3270216k,nr_inodes=817554,mode=700,uid=1000,gid=1000,inode64 0 0
gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
portal /run/user/1000/doc fuse.portal rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0

Issue description with steps to reproduce

Create an unprivileged container, for example named kali with this guide:
https://www.kali.org/docs/containers/kalilinux-lxc-images/#unprivileged-kali-lxc-container-on-kali-host

• Start the container with the command lxc-unpriv-start kali or systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-start kali (command based on https://linuxcontainers.org/lxc/getting-started/).
• Get a shell in the container with the command lxc-unpriv-attach kali or systemd-run --user --scope -p "Delegate=yes" -- lxc-attach kali (command based on lxc-attach fails on new systemd (with systemd-run) #3668 (comment)).
• Create a user, for example named bapt with the command adduser bapt so we can log in as a normal user with SSH later.

There are several issues:

• The user does not have access to their .bash_history file by default because it is owned by root so we have to execute chown bapt:bapt .bash_history.
• When we use lxc-attach, we are logged in as root in the user folder instead of /root/.
• When we use lxc-attach, the root commands appear in the .bash_history file from the user instead of /root/.bash_history (this does not appear when logging in as root with su command).

Can these issues be fixed and how can I make lxc-attach use the .bash_history file from the root user?

[hallyn]

The lxc-attach tool has a '--clear-env' option which will clear environment variables like HIST_FILE .

[baptx]

@hallyn I don't want to clear environment variables but want to use the .bash_history file from the root user with lxc-attach. Is there a way to do that? This should be the default since we are logged in as root with lxc-attach.

[hallyn]

@baptx you can set an individual environment variable using -v:

lxc-attach -v HISTFILE=/root/.bash_history -n jammy

I agree that is un-savory. But just unsetting HISTFILE in my environment before calling lxc-attach (or calling lxc-attach from dash) does not suffice, so it appears that bash in the container is buliding its HISTFILE variable from probably $HOME. And I can't unset that without breaking lxc's finding of its lockfiles etc.

So, you could set HISTFILE in /root/.bashrc in the container.

Really I think that lxc, by default, should reset some basic environment variables, including USER, LOGNAME, and HOME. It could set a LXC_USER to the original username as I'm sure some container workloads would like to know it.

@stgraber @brauner @tych0 do you know of lxc users for whom such a change in default would cause trouble?

[stgraber]

I'm sure it will break someone's script somewhere but in general it shouldn't be a big deal as complex consumers like Incus/LXD don't use any of the env inheritance stuff anyways.

[baptx]

@hallyn Setting HISTFILE in /root/.bashrc is not working because when I use lxc-attach-unpriv, it uses the .bashrc file from the user. With the command echo $USER I can see that my user name is displayed instead of the root user, even if I have root privileges and it displays root@kali in the command prompt.
So the current workaround is to attach the container with the parameter -v HISTFILE=/root/.bash_history but it would be more convenient if it is like this by default (in addition to using by default the root .bashrc and the root $USER variable that may be needed by some scripts).
Recently I also have installed the Debian package gtk3-nocsd on my host system and when I attach the Kali container, I can see the error "ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.".
So I also have to set LD_PRELOAD= with the -v parameter (setting it in the user .bashrc is not working).

Update: In fact the --clear-env parameter mentioned previously uses the /root/.bashrc file so I don't need to manually override the HISTFILE and LD_PRELOAD variables. Having this option enabled by default with a way to way to disable it in a configuration file could be useful. However if I use the cd command without parameter, there is this error because the variable does not exist: "bash: cd: HOME not set".