User Namespaces

General support questions
Post Reply
snoopy2122
Posts: 2
Joined: 2022/09/21 22:41:40

User Namespaces

Post by snoopy2122 » 2022/09/21 22:52:54

Hello,

New CentOS user and my first post here. I'm trying to run a binary that utilizes user namespaces (specifically, I'm working with https://github.com/containers/bubblewrap/). I've updated the user.max_user_namespaces kernel setting to be non-zero, which is the default, by creating a `/etc/sysctl.d/custom-security.conf` file with `user.max_user_namespaces = 1000` and rebooting. After logging back in, I can verify the non-zero user.max_user_namespaces setting via `sysctl -a`. I believe that user.max_user_namespaces is the only kernel setting relevant to creating user namespaces (please correct me if I'm wrong). Even after updating this setting, I still receive namespace permission issues when running my binary. I've also done `setuid u+s <binary>` to try to enable setuid, but that doesn't work either. The only way that I'm able to run the binary is with `sudo <binary>`, but I'd like non-sudo users to be able to run as well. Finally getting to my question:

Does CentOS explicitly require a sudo invocation to enable user namespaces? I thought that setuid would suffice.

If anyone has any further info/thoughts on this I'd greatly appreciate it.

Thanks in advance for your time!

P.S. I will likely ask a question on the github page of the software I'm trying to run. The following post on the software's github page made me decide to ask about OS kernel settings here first: https://github.com/containers/bubblewra ... -510231629
Last edited by snoopy2122 on 2022/09/22 14:50:48, edited 3 times in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: User Namespaces

Post by jlehtone » 2022/09/22 11:09:56

I have touched namespaces only for podman, which has to map [ug]ids in container into "safe" range on host.
For that I did set the user.max_user_namespaces and added/updated SUB_GID_MIN and SUB_UID_MIN in the /etc/login.defs:

Code: Select all

# Ansible tasks
  - name: Add user namespaces
    sysctl:
      name: user.max_user_namespaces
      value: '15000'
      state: present
      sysctl_file: /etc/sysctl.d/{{ site_name }}-namespaces.conf
    when: use_user_namespaces|default(false)|bool

  - name: Set sub_uid/sub_gid ranges min to higher value than default 100000
    blockinfile:
      path: /etc/login.defs
      marker: "# {mark} ANSIBLE MANAGED BLOCK for {{ site_name | upper }}"
      block: |
        SUB_GID_MIN               {{ environment_sub_gid_min }}
        SUB_UID_MIN               {{ environment_sub_uid_min }}
    when: use_user_namespaces|default(false)|bool
If I create an account after doing those, lines are added to /etc/sub[ug]id.
For example, both SUB_*_MIN are set to 5000000 and I create accounts: "me" and "you".
Both files do get:

Code: Select all

me:5000000:65536
you:5065536:65536
That is, each account gets a range of 65536 ids, starting from MIN.

You cat edit those files directly too (for existing accounts).

I don't know whether the lack of those sub-maps is what blocks you, but that is what I would check first.

snoopy2122
Posts: 2
Joined: 2022/09/21 22:41:40

Re: User Namespaces

Post by snoopy2122 » 2022/09/22 15:04:30

jlehtone,

Big thanks for the suggestion and taking the time to write up that response. I wasn't aware of the SUB_*ID_MIN settings previously, so I gave them a try by setting both to 5000000 in /etc/login.defs and rebooting. Unfortunately that did not change the outcome of running the binary as a normal user. I'm still able to start user namespaces with sudo but not as normal user or with the binary setuid set.

Thanks again for your time. I really appreciate it!

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: User Namespaces

Post by jlehtone » 2022/09/22 18:38:22

snoopy2122 wrote:
2022/09/22 15:04:30
Unfortunately that did not change the outcome
That in itself does not. It just affects what is pushed into /etc/subuid and /etc/subgid
Edit those files (and at least start new session).

Post Reply