tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.73k stars 321 forks source link

GOSU fails to switch when provided user_id is larger than 65536?!! #85

Closed Samahu closed 3 years ago

Samahu commented 3 years ago

I am using gosu within a docker container that is going to be run within a rootless docker mode. The rootless mode is required.

I am trying to use gosu when launching the container to maintain the file permissions and ownership to the host user for files generated during a docker session.

The problem is whenever I try to invoke gosu to switch to the newly added user within docker (that matches the host user), I get the following errro:

error: failed switching to "some_user": invalid argument

I looked around and found that this might the most related issue: #64 However, when I try what was the developer who asked the question struggling with, I didn't have a problem executing the command:

gosu 1000 id # or gosu 1000:1000 id 

That being the case I did several tests and found out that there seems to be an upper limit on the user id that gosu accepts:

$ gosu 65536 id
uid=65536 gid=0(root) groups=0(root)
$ gosu 65537 id
error: failed switching to "65537": invalid argument

Unfortunately, my user id has a value larger than 65536. Can some one explain why is this a problem and whether there is a way around this limitation.

$ gosu --version
gosu version: 1.10 (go1.10.4 on linux/amd64; gc)
     license: GPL-3 (full text at https://github.com/tianon/gosu)
tianon commented 3 years ago

I'm not able to reproduce without rootless:

/ # gosu 2147483647:2147483647 id
uid=2147483647 gid=2147483647

I'm guessing the third field in your user's /etc/subuid designation is set to 65536, which is the upper limit on the range of remapped user IDs that gets created (https://docs.docker.com/engine/security/rootless/).

Samahu commented 3 years ago

Indeed, the third field of /etc/subuid is set to 65536. I will check if increasing the value would fix the problem.

Samahu commented 3 years ago

I increased the value of third field to 15665550 but now docker won't start. I don't fully understand how to pick the range for the user name space such that it would work with rootless docker and still work gosu, does anyone have an idea?

Note that the value of :100000:65536 is not something that I came up with but rather it is what the rootless docker installation script emits: https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh

Thanks!

Samahu commented 3 years ago

I got some feedback from docker maintainers, hinting at editing /etc/logins.def. Do you know how this affects gosu? Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?

I don't understand how you were able to run gosu 2147483647:2147483647 id on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?

We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!

Samahu commented 3 years ago

I got some feedback from docker maintainers, hinting at editing /etc/logins.def. Do you know how this affects gosu? Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?

I don't understand how you were able to run gosu 2147483647:2147483647 id on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?

We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!

I don't think that increasing SUB_UID_COUNT to 15665550 is a good approach. If I understood correctly this controls the number of sub user ids assigned to each user on the system.

tianon commented 3 years ago

Yeah, that makes sense, but I'm not sure I understand how/why it's related to gosu now? For example, sudo -u '#2147483647' id would definitely suffer from the same symptoms since these are (intentional) kernel limitations, not userspace.

(In other words, I'd suggest further discussion should probably go to a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow, since there doesn't appear to be anything here gosu should or even can do differently.)

tianon commented 3 years ago

(I'm able to run the commands successfully because I'm not running rootless.)

Samahu commented 3 years ago

I don't have a working solution to this issue but going to close it anyway for now. If you or anyone got to try out gosu with rootless docker mode please update this ticket.