Operation not permitted while working with rootlesskit

[qiaoleiatms]

Problem statement We're using rootlesskit with Debian bullseye and bookworm right now, and found:

1. If uidmap is installed over apt-get, will get below error while run rootlesskit bash

[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted

2. If we build newuidmap and newgidmap from source code, there's not such issue.

How to reproduce

• Build docker image from below Dockerfile first

  
  FROM debian:bullseye

ARG ROOTLESSKIT_VERSION=v1.0.1 ARG SHADOW_VERSION=4.8.1

USER root

download and install file package

RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ curl \ ca-certificates \ gzip \ git \ libltdl-dev \ pkg-config \ libcap2-bin \ uidmap \ autoconf \ autopoint \ libtool \ automake \ make \ bison \ gettext \ gcc \ libcap-dev \ libbsd-dev \ ; \ rm -rf /var/lib/apt/lists/*

RUN git clone https://github.com/shadow-maint/shadow.git /shadow

WORKDIR /shadow

RUN git pull && git checkout $SHADOW_VERSION

RUN ./autogen.sh \

--disable-man \

--disable-account-tools-setuid \

--disable-nls \

--enable-lastlog \

--without-audit \

--with-libpam \

--without-selinux \

--without-acl \

--without-attr \

--without-tcb \

--with-yescrypt \

--without-nscd \

--without-group-name-max-length \

--with-fcaps && \

make && \

cp src/newuidmap src/newgidmap /usr/bin

RUN chmod u+s /usr/bin/newuidmap

RUN chmod u+s /usr/bin/newgidmap

RUN curl -SsLf "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz" | tar Cxzv /usr/bin

RUN useradd cnb

USER 1000:1000 ENTRYPOINT ["rootlesskit", "bash"]

- Then run `docker run --rm -it -u 1000 <docker image>`, you will get error
- Uncomment line 32-53 from the Dockerfile, and build the docker image again.
- Then run `docker run --rm -it -u 1000 <docker image>` again, everything is fine.

**Ask**
1. What's the difference between the version from package manager and built from source code?
2. How to avoid above error while install from package manager?

[alejandro-colomar]

The options that Debian uses to build shadow are different from yours. That might have an effect on the results.

$ git checkout debian/1%4.8.1-2 
Previous HEAD position was d906ecd3 New upstream version 4.8.1
HEAD is now at be18f1bb Update changelog

$ grepc -h -xmk -tv DEB_CONFIGURE_EXTRA_FLAGS debian/rules 
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
    --without-libcrack \
    --mandir=/usr/share/man \
    --with-libpam \
    --enable-shadowgrp \
    --enable-man \
    --disable-account-tools-setuid \
    --with-group-name-max-length=32 \
    --without-acl \
    --without-attr \
    --without-su \
    --without-tcb \
     SHELL=/bin/sh

[alejandro-colomar]

BTW,

RUN git pull && git checkout $SHADOW_VERSION

That line doesn't make much sense, IMO. You probably want to git fetch instead of git pull.

And also see the warning it produces:

hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint: 
hint:   git config pull.rebase false  # merge (the default strategy)
hint:   git config pull.rebase true   # rebase
hint:   git config pull.ff only       # fast-forward only
hint: 
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.