Hello,
New CentOS user and my first post here. I'm trying to run a binary that utilizes user namespaces (specifically, I'm working with https://github.com/containers/bubblewrap/). I've updated the user.max_user_namespaces kernel setting to be non-zero, which is the default, by creating a `/etc/sysctl.d/custom-security.conf` file with `user.max_user_namespaces = 1000` and rebooting. After logging back in, I can verify the non-zero user.max_user_namespaces setting via `sysctl -a`. I believe that user.max_user_namespaces is the only kernel setting relevant to creating user namespaces (please correct me if I'm wrong). Even after updating this setting, I still receive namespace permission issues when running my binary. I've also done `setuid u+s <binary>` to try to enable setuid, but that doesn't work either. The only way that I'm able to run the binary is with `sudo <binary>`, but I'd like non-sudo users to be able to run as well. Finally getting to my question:
Does CentOS explicitly require a sudo invocation to enable user namespaces? I thought that setuid would suffice.
If anyone has any further info/thoughts on this I'd greatly appreciate it.
Thanks in advance for your time!
P.S. I will likely ask a question on the github page of the software I'm trying to run. The following post on the software's github page made me decide to ask about OS kernel settings here first: https://github.com/containers/bubblewra ... -510231629
User Namespaces
-
- Posts: 2
- Joined: 2022/09/21 22:41:40
User Namespaces
Last edited by snoopy2122 on 2022/09/22 14:50:48, edited 3 times in total.
Re: User Namespaces
I have touched namespaces only for podman, which has to map [ug]ids in container into "safe" range on host.
For that I did set the user.max_user_namespaces and added/updated SUB_GID_MIN and SUB_UID_MIN in the /etc/login.defs:
If I create an account after doing those, lines are added to /etc/sub[ug]id.
For example, both SUB_*_MIN are set to 5000000 and I create accounts: "me" and "you".
Both files do get:
That is, each account gets a range of 65536 ids, starting from MIN.
You cat edit those files directly too (for existing accounts).
I don't know whether the lack of those sub-maps is what blocks you, but that is what I would check first.
For that I did set the user.max_user_namespaces and added/updated SUB_GID_MIN and SUB_UID_MIN in the /etc/login.defs:
Code: Select all
# Ansible tasks
- name: Add user namespaces
sysctl:
name: user.max_user_namespaces
value: '15000'
state: present
sysctl_file: /etc/sysctl.d/{{ site_name }}-namespaces.conf
when: use_user_namespaces|default(false)|bool
- name: Set sub_uid/sub_gid ranges min to higher value than default 100000
blockinfile:
path: /etc/login.defs
marker: "# {mark} ANSIBLE MANAGED BLOCK for {{ site_name | upper }}"
block: |
SUB_GID_MIN {{ environment_sub_gid_min }}
SUB_UID_MIN {{ environment_sub_uid_min }}
when: use_user_namespaces|default(false)|bool
For example, both SUB_*_MIN are set to 5000000 and I create accounts: "me" and "you".
Both files do get:
Code: Select all
me:5000000:65536
you:5065536:65536
You cat edit those files directly too (for existing accounts).
I don't know whether the lack of those sub-maps is what blocks you, but that is what I would check first.
-
- Posts: 2
- Joined: 2022/09/21 22:41:40
Re: User Namespaces
jlehtone,
Big thanks for the suggestion and taking the time to write up that response. I wasn't aware of the SUB_*ID_MIN settings previously, so I gave them a try by setting both to 5000000 in /etc/login.defs and rebooting. Unfortunately that did not change the outcome of running the binary as a normal user. I'm still able to start user namespaces with sudo but not as normal user or with the binary setuid set.
Thanks again for your time. I really appreciate it!
Big thanks for the suggestion and taking the time to write up that response. I wasn't aware of the SUB_*ID_MIN settings previously, so I gave them a try by setting both to 5000000 in /etc/login.defs and rebooting. Unfortunately that did not change the outcome of running the binary as a normal user. I'm still able to start user namespaces with sudo but not as normal user or with the binary setuid set.
Thanks again for your time. I really appreciate it!
Re: User Namespaces
That in itself does not. It just affects what is pushed into /etc/subuid and /etc/subgid
Edit those files (and at least start new session).