[Bug 2813] New: sshd fails to start in user namespaces when the gid for tty is not mapped

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 17 03:46:06 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2813

            Bug ID: 2813
           Summary: sshd fails to start in user namespaces when the gid
                    for tty is not mapped
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: o.freyermuth at googlemail.com

Created attachment 3105
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3105&action=edit
Patch to support user namespaces

In unprivileged user namespaces (c.f. https://lwn.net/Articles/532593/
), the user's uid / gid pair can be mapped to a single uid / gid pair
in the namespace. 

User namespaces are in heavy use for any unprivileged linux container
implementation (runC's rootless containers, singularity's containers in
non-setuid mode, charliecloud containers, docker with user namespace
support enabled etc.). 

Typically, the uid / gid of the user or 0 / 0 are used, hence the gid
of the tty group will not be mapped. 

Any unmapped uid and gid will be mapped to the "overflow uid / gid" by
the kernel (0xFFFE = 65534). 
This causes sshd to fail when trying to chown the /dev/pts/xx device. 

The only workaround would be (for the user) to map his / her own group
id to the tty gid, which rather is a dirty hack. 

The attached patch adds an exception in the case chown fails and the
pts device is owned by the matching uid and the overflow gid. In this
case, only a debug message is shown, but execution continues.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list