Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Operation not permitted while working with rootlesskit #958

Open
qiaoleiatms opened this issue Feb 22, 2024 · 2 comments
Open

Operation not permitted while working with rootlesskit #958

qiaoleiatms opened this issue Feb 22, 2024 · 2 comments

Comments

@qiaoleiatms
Copy link

Problem statement
We're using rootlesskit with Debian bullseye and bookworm right now, and found:

  1. If uidmap is installed over apt-get, will get below error while run rootlesskit bash
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
  1. If we build newuidmap and newgidmap from source code, there's not such issue.

How to reproduce

  • Build docker image from below Dockerfile first
FROM debian:bullseye

ARG ROOTLESSKIT_VERSION=v1.0.1
ARG SHADOW_VERSION=4.8.1

USER root
# download and install file package
RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends \
        curl \
        ca-certificates \
        gzip \
        git \
	libltdl-dev \
        pkg-config \
        libcap2-bin \
        uidmap \
	autoconf \
        autopoint \
        libtool \
        automake \
        make \
        bison \
        gettext \
        gcc \
        libcap-dev \
        libbsd-dev \
	; \
	rm -rf /var/lib/apt/lists/*

# RUN git clone https://github.com/shadow-maint/shadow.git /shadow
# WORKDIR /shadow
# RUN git pull && git checkout $SHADOW_VERSION
# RUN ./autogen.sh \ 
# 		--disable-man \
# 		--disable-account-tools-setuid \
# 		--disable-nls \
# 		--enable-lastlog \
# 		--without-audit \
# 		# --with-libpam \
# 		--without-selinux \
# 		--without-acl \
# 		--without-attr \
# 		--without-tcb \
# 		--with-yescrypt \
# 		--without-nscd \
# 		--without-group-name-max-length \
# 		--with-fcaps && \
#   		make && \
#   cp src/newuidmap src/newgidmap /usr/bin
# RUN chmod u+s /usr/bin/newuidmap
# RUN chmod u+s /usr/bin/newgidmap

RUN curl -SsLf "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz" | tar Cxzv /usr/bin

RUN useradd cnb

USER 1000:1000
ENTRYPOINT ["rootlesskit", "bash"]
  • Then run docker run --rm -it -u 1000 <docker image>, you will get error
  • Uncomment line 32-53 from the Dockerfile, and build the docker image again.
  • Then run docker run --rm -it -u 1000 <docker image> again, everything is fine.

Ask

  1. What's the difference between the version from package manager and built from source code?
  2. How to avoid above error while install from package manager?
@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Feb 27, 2024

The options that Debian uses to build shadow are different from yours. That might have an effect on the results.

$ git checkout debian/1%4.8.1-2 
Previous HEAD position was d906ecd3 New upstream version 4.8.1
HEAD is now at be18f1bb Update changelog
$ grepc -h -xmk -tv DEB_CONFIGURE_EXTRA_FLAGS debian/rules 
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
	--without-libcrack \
	--mandir=/usr/share/man \
	--with-libpam \
	--enable-shadowgrp \
	--enable-man \
	--disable-account-tools-setuid \
	--with-group-name-max-length=32 \
	--without-acl \
	--without-attr \
	--without-su \
	--without-tcb \
	 SHELL=/bin/sh

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Feb 27, 2024

BTW,

RUN git pull && git checkout $SHADOW_VERSION

That line doesn't make much sense, IMO. You probably want to git fetch instead of git pull.

And also see the warning it produces:

hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint: 
hint:   git config pull.rebase false  # merge (the default strategy)
hint:   git config pull.rebase true   # rebase
hint:   git config pull.ff only       # fast-forward only
hint: 
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants