Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615298 - sys-apps/shadow-4.4-r2 newgidmap newuidmap need the setuid bit set so app-containers/lxc unprivileged containers can work
Summary: sys-apps/shadow-4.4-r2 newgidmap newuidmap need the setuid bit set so app-con...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL: https://github.com/lxc/lxc/issues/1454
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-11 18:10 UTC by Plero H
Modified: 2023-10-09 18:48 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Plero H 2017-04-11 18:10:53 UTC
shadow package does not set setuid bit on newgidmap newuidmap, so lxc unprivileged containers cannot start. According to lxc this is a distro/package issue.



Reproducible: Always

Steps to Reproduce:
1. create an unprivileged lxc container
2. update/remerge shadow ebuild
3. start the container
Actual Results:  
lxc container cannot start

Expected Results:  
lxc container should start

Check the problem and the solution here:

https://github.com/lxc/lxc/issues/1454

Maybe an additional useflag is needed in shadow ebuild so we can setuid those binaries.
Comment 1 Rick Harris 2017-07-15 23:48:40 UTC
Confirmed, same problem here.

I'm currently working around the problem by disabling the use of shadow's newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky in my use case.

This has the end of result of LXC correctly setting up the UID/GID mapping directly itself instead of trying (and failing) to use shadow's newgidmap newuidmap.
Comment 2 Plero H 2017-07-17 22:58:27 UTC
(In reply to Rick Harris from comment #1)
> Confirmed, same problem here.
> 
> I'm currently working around the problem by disabling the use of shadow's
> newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to
> sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky
> in my use case.
> 
> This has the end of result of LXC correctly setting up the UID/GID mapping
> directly itself instead of trying (and failing) to use shadow's newgidmap
> newuidmap.

Nice, can you attach a patch? How do you do it?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-21 04:26:36 UTC
CCing lxc maintainers. Not sure if this is still an issue or not?
Comment 4 Joonas Niilola gentoo-dev 2021-12-22 06:42:03 UTC
No it shouldn't be, a lot has changed how lxc handles idmap since 2017. 

If it is with latest lxc in the tree, please reopen and let's investigate again.