[systemd-devel] Unprivileged containers and co-ordinating user namespaces

Eric W. Biederman ebiederm at xmission.com
Wed May 4 15:02:45 UTC 2016 

James Bottomley <James.Bottomley at HansenPartnership.com> writes:

> On Thu, 2016-04-28 at 16:00 -0700, W. Trevor King wrote:
>> On Thu, Apr 28, 2016 at 03:02:08PM -0700, James Bottomley wrote:
>> > /etc/usernamespaces
>> > 
>> > and the format be :::
>> > 
>> > …
>> > 
>> > If this sounds OK to people, I can code up a utility that does this,
>> > which should probably belong in util-linux.
>> 
>> This sounds a lot like shadow's newuidmap and newgidmap [1,2,3].
>> 
>> Cheers,
>> Trevor
>> 
>> [1]: https://github.com/shadow-maint/shadow/commit/673c2a6f9aa6c69588f4c1be08589b8d3475a520
>> [2]: http://man7.org/linux/man-pages/man1/newuidmap.1.html
>> [3]: http://man7.org/linux/man-pages/man5/subuid.5.html
>
> I think that mostly works.  No-one's packaging it yet, which is why I
> didn't notice.  It also looks like the build dependencies have vastly
> expanded, so I can't get it to build in the build service yet.

Both Fedora and Ubuntu should be packaging it.  Further Docker should
already be using these files.

> It looks like the only addition it needs is the setgroups flag for
> newgidmap, which the security people will need, so I can patch that. 
>  Plus it's trying to install newgidmap/newuidmap as setuid root rather
> than cap_setuid/cap_setgid, but that's fixable in the spec file.

I read the rest of this thread and I don't understand the setgroups flag
that you desire.  It sounds like someone with an incomplete grasp on the
situtation being cautious.

As far as I can tell the use cases for containers not supporting
setgroups is very limited.  Basically just using user namespaces to
drop privileges, and mapping the existing uids and gids to 0.

I don't think it actually makes sense to have a knob.  From a practical
standpoint entering any subordinate ids into the subgid file for a user
is a permission to use groups in such a way that can not use them as a
negative acl (because we allow them to be dropped).

Certainly it has been that way for quite a while now.

Except for the negative acl aspect there are no issues with dropping
groups, as setgroups will limit you to the groups allowed in your user
namespace.

Eric

More information about the systemd-devel mailing list