Can't use user/group IDs in unshared namespace

When mounting a tmpfs in a mount and user namespace that is separate from my ‘regular’ system, my expectation is that it’s possible to use any user/group ID.

There would be no need for mapping IDs since the tmpfs is only present in this mount namespace (I have /etc/sub{g,u}id set up, though).

But what happens is this:

me   $ mkdir tmp
me   $ unshare -Urm
root $ mount -t tmpfs none tmp
root $ cd tmp
root $ touch asdf
root $ chown 3:3 asdf
chown: changing ownership of 'asdf': Invalid argument

I’m failing to work out the reason.
Can someone shine some light onto this?

For copy-n-paste testing with unshare -Urm:

mkdir tmp
mount -t tmpfs none tmp
cd tmp
touch asdf
chown 3:3 asdf
Asked By: Banyoghurt

||

For a given user namespace, any process within a namespace that didn’t map a given UID or GID (this affects even the actual initial root user that would have run unshare -Urnm), depending on the system call will get an EPERM or an EINVAL error when trying to do something affecting such UID somehow (eg: for a process or for a file). This is explained in user_namespace(7), but the explanation is quite complex.

Trying to read the value for such UID/GID, if not resulting in EINVAL will instead retrieve the overflow UID/GID, usually nobody and nogroup, as described in details in Unmapped user and group IDs from user_namespace(7) man page.

The only way to involve more than one’s own UID, is to use a privileged helper. There’s one such common pair of helpers, which are even a dependency for tools intended to run as normal user, such as podman. The commands newuidmap and newgidmap which verify user credentials in /etc/subuid and /etc/subgid. The entries in these files are usually added at user account creation, but can be modified to suit further needs.

If an user could unilaterally change user namespace to become root and affect the parent (eg: host) user namespace, that user would have the privileges of the root user. That’s not the case. The intended use, with helpers, is to reserve a range of UID-GIDs (in a subrange of 0-4294967294, not just 0-65534) for this user. The mapping should be distinct between different users for accountability (but that’s not required).

Answered By: A.B
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.