[Bug 2813] New: sshd fails to start in user namespaces when the gid for tty is not mapped
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 17 03:46:06 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2813
Bug ID: 2813
Summary: sshd fails to start in user namespaces when the gid
for tty is not mapped
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: o.freyermuth at googlemail.com
Created attachment 3105
--> https://bugzilla.mindrot.org/attachment.cgi?id=3105&action=edit
Patch to support user namespaces
In unprivileged user namespaces (c.f. https://lwn.net/Articles/532593/
), the user's uid / gid pair can be mapped to a single uid / gid pair
in the namespace.
User namespaces are in heavy use for any unprivileged linux container
implementation (runC's rootless containers, singularity's containers in
non-setuid mode, charliecloud containers, docker with user namespace
support enabled etc.).
Typically, the uid / gid of the user or 0 / 0 are used, hence the gid
of the tty group will not be mapped.
Any unmapped uid and gid will be mapped to the "overflow uid / gid" by
the kernel (0xFFFE = 65534).
This causes sshd to fail when trying to chown the /dev/pts/xx device.
The only workaround would be (for the user) to map his / her own group
id to the tty gid, which rather is a dirty hack.
The attached patch adds an exception in the case chown fails and the
pts device is owned by the matching uid and the overflow gid. In this
case, only a debug message is shown, but execution continues.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list