[lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1

KATOH Yasufumi karma at jazz.email.ne.jp
Mon Jun 23 10:36:58 UTC 2014


>>> On Fri, 20 Jun 2014 18:33:40 +0000
    in message   "Re: [lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1"
                  Serge Hallyn-san wrote:

> > The owning group of /dev/pts/* is 'tty' group. Isn't it related?

> Oh, yeah, then you'll need to make it

> lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/3

I tried this:
  $ lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/1
  newgidmap: gid range [100-101) -> [5-6) not allowed
  setgid: Invalid argument

'newgidmap' is only success when 
  * specified range is allowed to the user in the /etc/subgid file
or
  * specified range is own gid
but in this case, both are false.

When specified '-m g:0:100000:1 -m g:100:5:1', lxc-usernsexec run the
followed command:
  newgidmap [PID] 0 100000 1 100 5 1

The first part (0 100000 1) is allowed, but the second part is
false in verify_range function (in newgidmap.c in shadow), so it is
disallowed:

  /* Allow a process to map it's own gid */
  if ((range->count == 1) && (pw->pw_gid == range->lower))
          return true;
  return false;

What should we do? or do I something mistake?

Thanks,
KATOH Yasufumi


More information about the lxc-devel mailing list