Subordinate GIDs/UIDs with LXC and userns for unprivileged user

lxcshadowuserns

When using userns (via LXC in my case), you assign a range of subordinate GIDs and UIDs to an unprivileged user. See for resources: subuid(5), subgid(5), newuidmap(1), newgidmap(1), user_namespaces(7).

That range can then be used and will via userns be mapped to the system account.

Let's assume we have a (host) system account john with a UID (and GID) of 1000. The assigned range of GIDs and UIDs is 100000..165536.

So an entry exists in /etc/subgid and /etc/subuid respectively:

john:100000:65536

Files that inside the unprivileged container are owned by the "inside" john will now be owned by 101000 on the host and those owned by the "inside" root will be owned by 100000.

Normally these ranges are not assigned to any name on the host.

Questions:

is it alright to create a user for those respective UIDs/GIDs on the host in order to have a more meaningful output for ls and friends?
is there a way to make those files/folder accessible to the host user who "owns" the userns, i.e. john in our case? And if so, is the only sensible method to create a group shared between those valid users inside the subordinate range and and the userns "owner" and set the permissions accordingly? Well, or ACLs, obviously.

Best Answer

Is it alright to create a user for those respective UIDs/GIDs on the host in order to have a more meaningful output for ls and friends?

Yes it is alright. However you must ensure that such user has no right over anything in the host system:

Disabled access or password,
No usable login shell,
No writeable home directory.

Be also sure to not create any duplicate in your user names.

Here is a sample script, taking the guest's /etc/passwd and /etc/group files to create the corresponding users in the host system. All names are prefixed with the container name, and all IDs are increased using the given value to match container's UIDs:

#! /bin/sh

# Path to guest's `/etc' directory.
guest_etc=/var/lib/lxc/mycontainer/rootfs/etc
# Guest's name, used as login prefix and inside GECOS field.
guest_name=mycontainer
# Increment to be applied to UIDs and GIDs (= range start).
uid_incr=100000
gid_incr=$uid_incr

guest_passwd=${guest_etc}/passwd
guest_group=${guest_etc}/group

exec <$guest_group
while IFS=":" read name pass gid null; do
    gid_new=$( expr $gid + $gid_incr )
    if ! getent group $gid_new >/dev/null; then
        addgroup --system --gid $gid_new "${guest_name}_${name}"
    fi  
done

exec <$guest_passwd
while IFS=":" read login pass uid gid gecos null; do
    uid_new=$( expr $uid + $uid_incr )
    gid_new=$( expr $gid + $gid_incr )
    if ! getent passwd $uid_new >/dev/null; then
        adduser --system --home /nonexistent --no-create-home \
            --shell /bin/nologin --uid $uid_new --gid $gid_new \
            --gecos "\"$guest_name container user (${gecos})\"" \
            "${guest_name}_${login}"
    fi  
done

The warnings regarding the inaccessible home directory are normal and expected: this is the actual purpose of /nonexistent to not exist.

is there a way to make those files/folder accessible to the host user who "owns" the userns, i.e. john in our case? And if so, is the only sensible method to create a group shared between those valid users inside the subordinate range and and the userns "owner" and set the permissions accordingly? Well, or ACLs, obviously.

This should really worth a separate question IMO.

Since the container's content is owned by different UIDs than the container owner UID, then it is not accessible to him. I can imagine an exception to this rule for subusers, but there is currently none I am aware of (I've created a related question a few time ago, but no answer yet).

The files /etc/subuid and /etc/subgid are currently only used by newuidmap(1) to allow or deny the switch from one UID/GID to another of a given process. It does not give the range owner any other right.

Therefore, the solution to such issue should be designed on a case-per-case basis. Beware however with you ACL idea: let's say you put some ACLs on the container's files to allow your host's UID 1000 to read them, this means that the container's user with container's UID 1000 will also have the same level of privilege...

Preliminary assumptions

I'll stick with the following assumptions, extended from what I have from your question:

host has a user1 and a user2, if an information isn't specific to one, we'll use userX
the container will be named by a variable which we will render as $container
home folders for user1 and user2 will be given in the notation known from Bash as ~user1 and ~user2.
we'll assume the subordinate UID and GID ranges to be 100000..165536 for user1 and 200000..265536 for user2 just for brevity
the root FS folder for $container will be rendered as $rootfs, regardless of where it will end up (~userX/.local/share/lxc/$container/rootfs)
container configuration is by default in ~userX/.local/share/lxc/$container/config

Moving the container

There are two relevant pieces of data that govern the userns containers:

owner and group for the files/folders of the folders comprising the $container
the subordinate UIDs and GIDs assigned in two places: /etc/sub{uid,gid} for the user account (manipulated via usermod --{add,del}-sub-{uid,gid}s) and lxc.id_map in the $container configuration (~userX/.local/share/lxc/$container/config) respectively
- I don't know for certain whether it is possible to define different ranges in the container configuration for each container. E.g. if the host user userX has 65536 subordinate GIDs and UIDs, it might be possible to assign 5000 to 65 different containers, but I haven't tested that hypothesis.
- it is certain, though, that this setting communicates to LXC which are the valid ranges for GID and UID in the child namespace.

So the gist is really that you need to make sure that the file/folder owner and group for the container match the configuration, which in turn has to be a valid subset of the host subordinate GIDs/UIDs assigned to user1 and user2 respectively.

If you're using Bash, for example, you can use $((expression)) for arithmetic expressions and let to assign arithmetic expressions to variables. This is mighty useful if you know a base value (100000 and 200000 respectively) and the GID/UID for the "inside" users.

The main points are:

it's possible
either the capability CAP_CHOWN or superuser rights are required

Here's a script that will probably need some more honing (example: migration from root-created container to unprivileged), but it works for me for the purpose:

#!/usr/bin/env bash

function syntax
{
    echo "SYNTAX: ${0##*/} <from-user> <to-user> <container-name>"
    [[ -n "$1" ]] && echo -e "\nERROR: ${1}."
    exit 1
}

# Checks
[[ -n "$1" ]] || syntax "<from-user> is not set"
[[ -n "$2" ]] || syntax "<to-user> is not set"
[[ -n "$3" ]] || syntax "<container-name> is not set"
[[ "$UID" -eq "0" ]] || syntax "${0##*/}" "You must be superuser to make use of this script"
# Constants with stuff we need
readonly USERFROM=$1
readonly USERTO=$2
shift; shift
readonly CONTAINER=${1:-*}
LXCLOCAL=".local/share/lxc"
readonly HOMEFROM=$(eval echo ~$USERFROM)
readonly HOMETO=$(eval echo ~$USERTO)
readonly LXCFROM="$HOMEFROM/$LXCLOCAL"
readonly LXCTO="$HOMETO/$LXCLOCAL"
readonly GIDBASEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$2}" /etc/subgid)
readonly UIDBASEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$2}" /etc/subuid)
readonly GIDSIZEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$3}" /etc/subgid)
readonly UIDSIZEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$3}" /etc/subuid)
readonly GIDBASETO=$(awk -F : "\$1 ~/$USERTO/ {print \$2}" /etc/subgid)
readonly UIDBASETO=$(awk -F : "\$1 ~/$USERTO/ {print \$2}" /etc/subuid)
readonly GIDSIZETO=$(awk -F : "\$1 ~/$USERTO/ {print \$3}" /etc/subgid)
readonly UIDSIZETO=$(awk -F : "\$1 ~/$USERTO/ {print \$3}" /etc/subuid)
unset LXCLOCAL
# More checks
[[ -d "$LXCFROM" ]] || syntax "Could not locate '$LXCFROM'. It is not a directory as expected"
[[ -e "$LXCTO" ]] && syntax "Destination '$LXCTO' already exists. However, it must not"
for i in GIDBASEFROM UIDBASEFROM GIDBASETO UIDBASETO; do
    (($i > 0)) || syntax "Could not determine base/offset of subordinate UID/GID range"
done
for i in GIDSIZEFROM UIDSIZEFROM GIDSIZETO UIDSIZETO; do
    (($i > 0)) || syntax "Could not determine length of subordinate UID/GID range"
done

echo "Going to migrate container: $CONTAINER"
echo -e "\tfrom user $USERFROM ($HOMEFROM): subUID=${UIDBASEFROM}..$((UIDBASEFROM+UIDSIZEFROM)); subGID=${GIDBASEFROM}..$((GIDBASEFROM+GIDSIZEFROM))"
echo -e "\tto user $USERTO ($HOMETO): subUID=${UIDBASETO}..$((UIDBASETO+UIDSIZETO)); subGID=${GIDBASETO}..$((GIDBASETO+GIDSIZETO))"
while read -p "Do you want to continue? (y/N) "; do
    case ${REPLY:0:1} in
        y|Y)
            break;
            ;;
        *)
            echo "User asked to abort."
            exit 1
            ;;
    esac
done

# Find the UIDs and GIDs in use in the container
readonly SUBGIDSFROM=$(find -H "$LXCFROM" -printf '%G\n'|sort -u)
readonly SUBUIDSFROM=$(find -H "$LXCFROM" -printf '%U\n'|sort -u)

# Change group
for gid in $SUBGIDSFROM; do
    let GIDTO=$(id -g "$USERTO")
    if ((gid == $(id -g "$USERFROM"))); then
        echo "Changing group from $USERFROM ($gid) to $USERTO ($GIDTO)"
        find -H "$LXCFROM/$CONTAINER" -gid $gid -exec chgrp $GIDTO {} +
    elif ((gid >= GIDBASEFROM )) && ((gid <= GIDBASEFROM+GIDSIZEFROM)); then
        let GIDTO=$((gid-GIDBASEFROM+GIDBASETO))
        echo "Changing group $gid -> $GIDTO"
        find -H "$LXCFROM/$CONTAINER" -gid $gid -exec chgrp $GIDTO {} +
    else
        echo "ERROR: Some file/folder inside '$LXCFROM/$CONTAINER' has a group not assigned to $USERFROM (assigned subordinate GIDs)."
        echo -e "Use:\n\tfind -H '$LXCFROM/$CONTAINER' -gid $gid\nto list those files/folders."
        exit 1
    fi
done

# Change owner
for uid in $SUBUIDSFROM; do
    let UIDTO=$(id -u "$USERTO")
    if ((uid == $(id -u "$USERFROM"))); then
        echo "Changing owner from $USERFROM ($uid) to $USERTO ($UIDTO)"
        find -H "$LXCFROM/$CONTAINER" -uid $uid -exec chown $UIDTO {} +
    elif ((uid >= UIDBASEFROM )) && ((uid <= UIDBASEFROM+UIDSIZEFROM)); then
        let UIDTO=$((uid-UIDBASEFROM+UIDBASETO))
        echo "Changing owner $uid -> $UIDTO"
        find -H "$LXCFROM/$CONTAINER" -uid $uid -exec chown $UIDTO {} +
    else
        echo "ERROR: Some file/folder inside '$LXCFROM/$CONTAINER' has an owner not assigned to $USERFROM (assigned subordinate UIDs)."
        echo -e "Use:\n\tfind -H '$LXCFROM/$CONTAINER' -uid $uid\nto list those files/folders."
        exit 1
    fi
done
mv "$LXCFROM/$CONTAINER" "$LXCTO/" || { echo "ERROR: failed to move to destination: ${LXCTO}/${CONTAINER}."; exit 1; }

In addition to the license terms of the StackExchange network, I am putting this into the public domain. So reuse and modify for whatever purpose, but it comes without any warranty and I must not be held liable for its use or abuse.

Usage

SYNTAX: lxc-reassign-userns.sh <from-user> <to-user> <container-name>

It assumes find, sort, uniq, awk (mawk and gawk should work), id, bash, chown, chmod and so on to be available and to understand all the command line switches it is using. For Bash readonly and let and arithmetic expressions are assumed to be understood. For find is assumes + is a valid terminator for the -exec action.

This list is probably not complete.

Backups

Yes, you can make backups and restore them elsewhere, as long as you also adjust the file owner and group accordingly.

However, assuming you use something like tar, there's a caveat: tar will ignore sockets, so $rootfs/dev/log will pose an issue - others may also create a similar issue.

Questions:

Best Answer

Related Solutions

Linux – Building unprivileged (userns) LXC container from scratch, by migrating a privileged container to be unprivileged

Linux – Migrate an unprivileged LXC container between users

Preliminary assumptions

Moving the container

Backups

Resources:

Related Question