[lxc-users] unprivileged LXC and lxc-attach...

Dirk Geschke dirk at lug-erding.de
Fri Jul 7 09:57:22 UTC 2017 

Hi all,

I'm not sure, if this was already discussed. But it is a strange
behaviour for me. An lxc-attach of an unprivileged user to his
unprivileged LXC (the container runs without problems), fails.

I tracked it down and ended up hier:

17583 openat(3, "uid_map", O_WRONLY)    = 6
17583 write(6, "0 689825 1\n1002 1002 1\n", 23) = -1 EPERM (Operation not permitted)
17583 write(2, "newuidmap: write to uid_map failed: Operation not permitted\n", 60) = 60

Note, 1002 is the UID/GID of the unprivileged user, the subuid starts
at:

# grep stretch /etc/subuid /etc/subgid
/etc/subuid:stretch:689825:65536
/etc/subgid:stretch:689825:65536

and of course, newuidmap is installed SUID:

17582 stat("/usr/bin/newuidmap", {st_mode=S_IFREG|S_ISUID|0755, st_size=37136, ...}) = 0

and 

# ls -l /usr/bin/newuidmap
-rwsr-xr-x 1 root root 37136 May 17 13:59 /usr/bin/newuidmap

Installed is LXC-2.0.8, Debian stretch with kernel 4.11.7

If I run lxc-attach as user root with -P pointing to the unprivileged
container, there is no problem. But with an strace, I don't see a call
to newuidmap in this case.

So I guess, it is a problem with newuidmap writing to uid_map:

    write(6, "0 689825 1\n1002 1002 1\n", 23) 

I'm wondering, if it is a problem with the newlines, why are there two
lines?

The man page of user_namespaces(7) states as one rule:

   +  The data written to uid_map (gid_map) must consist of a single 
      line that maps the writing process's effective user ID (group ID)
      in the parent user namespace to a user ID (group ID) in the user 
      namespace.

and

    Writes that violate the above rules fail with the error EPERM.

Is this the reason it fails? And why does it happen now and never
before? 

Has anyone an idea?

Best regards

Dirk

-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at geschke-online.de / dirk at lug-erding.de  / kontakt at lug-erding.de |
+----------------------------------------------------------------------+

More information about the lxc-users mailing list