2

I'm trying to understand whether it's possible to map two users from a user namespace to two different users on the host.

The goal is to replicate the same permissions I have on my host inside a rootfs (Ubuntu base, because I'm trying to build a container from scratch).

For example:

  • Everything under / should belong to root.
  • /home/user should belong to the regular user.

To achieve this, I was thinking of using UID mapping in a user namespace, something like:

UID in user namespace ---> UID on host 1000 (admin) -> 0 (root) 1001 (bob) -> 1001 (bob)

Is this kind of mapping even possible?

Here’s what I’ve already tried:

  • Running echo -e "1000 0 1\n1001 1001 1" > /proc/[PID]/uid_map to define the mapping, but I get an error.
  • Trying to manually modify /proc/[PID]/uid_map using newuidmap for each user.

However, I’ve never been able to map more than one user, and I can’t seem to map UID 0 (root) at all.

I’ve read the man pages and followed the constraints mentioned there, but I’m still getting error messages.

For example:

# terminal 1 unshare --user bash echo $$ # 11591 
# terminal 2 as user 'alex' (uid = 1000) newuidmap 11591 0 0 1 # newuidmap: uid range [0-1) -> [0-1) not allowed newuidmap 11591 1001 1001 1 # newuidmap: uid range [1001-1002) -> [1001-1002) not allowed

These commands fail, even when run with sudo.

I also tried mapping to subuids that I’ve declared, but it still doesn’t work:

cat /etc/subuid alex:100000:65536 root:200000:65536 self:300000:65536 cat /etc/subgid alex:100000:65536 root:200000:65536 self:300000:65536
Improve this question
2
  • Only one UID (typically 0) can be mapped from the namespace to the host.Non-root users can only map UIDs within their allocated sub-UID ranges (alex:100000:65536). newuidmap requires explicit permission, even sudo may not bypass /etc/subuid restrictions.
    – ReflectYourCharacter
    CommentedApr 17 at 15:26
  • attempting to Map Non-Sub-UIDs (1001 1001 1) "Error: uid range [1001-1002) -> [1001-1002) not allowed" alex (UID 1000) can only map UIDs from their assigned range 100000-165535 in /etc/subuid. You cannot arbitrarily map host UIDs (like 1001) unless they are part of your sub-UID range.
    – ReflectYourCharacter
    CommentedApr 17 at 15:27

1 Answer 1

Reset to default
0

The kernel documentation states that only one UID/GID in the namespace may be mapped to host UID/GID 0. A single UID-0 mapping, 1000 0 1 must appear before any other mappings.

Check user and group ID mappings: uid_map and gid_map.

Range overlaps are prohibited. For example, 1001 1001 1 must not conflict with the first mapping.

Without newuidmap, the operation fails due to insufficient permissions, even as root inside the namespace.

Non-privileged users can only create mappings within their assigned sub-UIDs/GIDs.

From /etc/subuid:

From /etc/subgid:

Use newuidmap and newgidmap to set up secure mappings.

The man page explains the syntax:

There are users here who can explain this in more detail ^^

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.