Operation not permitted while working with rootlesskit

[qiaoleiatms]

Problem statement
We're using rootlesskit with Debian bullseye and bookworm right now, and found:

1. If uidmap is installed over apt-get, will get below error while run rootlesskit bash

[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted

2. If we build newuidmap and newgidmap from source code, there's not such issue.

How to reproduce

• Build docker image from below Dockerfile first

FROM debian:bullseye

ARG ROOTLESSKIT_VERSION=v1.0.1
ARG SHADOW_VERSION=4.8.1

USER root
# download and install file package
RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends \
        curl \
        ca-certificates \
        gzip \
        git \
	libltdl-dev \
        pkg-config \
        libcap2-bin \
        uidmap \
	autoconf \
        autopoint \
        libtool \
        automake \
        make \
        bison \
        gettext \
        gcc \
        libcap-dev \
        libbsd-dev \
	; \
	rm -rf /var/lib/apt/lists/*

# RUN git clone https://github.com/shadow-maint/shadow.git /shadow
# WORKDIR /shadow
# RUN git pull && git checkout $SHADOW_VERSION
# RUN ./autogen.sh \ 
# 		--disable-man \
# 		--disable-account-tools-setuid \
# 		--disable-nls \
# 		--enable-lastlog \
# 		--without-audit \
# 		# --with-libpam \
# 		--without-selinux \
# 		--without-acl \
# 		--without-attr \
# 		--without-tcb \
# 		--with-yescrypt \
# 		--without-nscd \
# 		--without-group-name-max-length \
# 		--with-fcaps && \
#   		make && \
#   cp src/newuidmap src/newgidmap /usr/bin
# RUN chmod u+s /usr/bin/newuidmap
# RUN chmod u+s /usr/bin/newgidmap

RUN curl -SsLf "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz" | tar Cxzv /usr/bin

RUN useradd cnb

USER 1000:1000
ENTRYPOINT ["rootlesskit", "bash"]

• Then run docker run --rm -it -u 1000 <docker image>, you will get error
• Uncomment line 32-53 from the Dockerfile, and build the docker image again.
• Then run docker run --rm -it -u 1000 <docker image> again, everything is fine.

Ask

1. What's the difference between the version from package manager and built from source code?
2. How to avoid above error while install from package manager?

[alejandro-colomar]

The options that Debian uses to build shadow are different from yours. That might have an effect on the results.

$ git checkout debian/1%4.8.1-2 
Previous HEAD position was d906ecd3 New upstream version 4.8.1
HEAD is now at be18f1bb Update changelog

$ grepc -h -xmk -tv DEB_CONFIGURE_EXTRA_FLAGS debian/rules 
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
	--without-libcrack \
	--mandir=/usr/share/man \
	--with-libpam \
	--enable-shadowgrp \
	--enable-man \
	--disable-account-tools-setuid \
	--with-group-name-max-length=32 \
	--without-acl \
	--without-attr \
	--without-su \
	--without-tcb \
	 SHELL=/bin/sh

[alejandro-colomar]

BTW,

RUN git pull && git checkout $SHADOW_VERSION

That line doesn't make much sense, IMO. You probably want to git fetch instead of git pull.

And also see the warning it produces:

hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint: 
hint:   git config pull.rebase false  # merge (the default strategy)
hint:   git config pull.rebase true   # rebase
hint:   git config pull.ff only       # fast-forward only
hint: 
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.