today to my surprise I have noticed that I may delete a file that was created by a user with UID 100024 while being logged to my normal user (UID 1000) shell. The UID 100024 is a subuid, it is how the user inside the rootless podman container looks in top processes, also in ls -l output. The cat /etc/subuid out is myuser:100000:65536, same for the subgid. The sudo sysctl kernel.unprivileged_userns_clone out is kernel.unprivileged_userns_clone = 1 the getfacl /the/file shows

user::rw-
group::r--
other::r--

The grep CONFIG_USER_NS /boot/config-$(uname -r) out is CONFIG_USER_NS=y. To even a bigger surprise, I was able to edit a file created by UID 1000 user in the volume mapped folder, from inside the container! The file had 644 permissions and was owned by nobody:nogroup. I'm pretty sure I could not do these operations in the past. Anything has happened to my 6.1.0-32-amd64 Debian? The filesystem is xfs. ls -hal for the directory returns:

drwxrwxr-x+ 12 pod_yt      root        4.0K Jul 19 17:09 name_of_the_dir

and the getfacl for the dir returns

user::rwx user:myuser:rwx 
user:name_of_the_user_for_uid_100024:rwx 
group::r-x mask::rwx other::r-x

So here is the situation. I have a hypothetical system with 2 users - 'user1' and 'root'. The user 'user1' is just a normal non-sudoer user with uid=1000, and the root, is just a normal root user with uid=0. Let's say that through a certain exploit in the system user1, can get euid=0, but his uid still remains 1000. This sort of gives him some root abilities but not all. For example: accessing /root, is done as if the root is attempting to do it, but running 'sudo' or 'su' seems to be ran as if based on UID and not EUID. My question is: Is there an elegant way that doesn't require, uploading binaries, changing /etc/shadow or /etc/passwd to switch the uid to 0 as well, now that we have euid=0? It would also be great if the method works natively and doesn't assume that specific programs like gcc, for example, exsist. So far I only managed to think out

-c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'

which is fairly nice, but assumes that there is python installed on the system. Any better suggestion?

I'm totally new in these enviroments but I'm trying to learn. I installed proxmox on a single SSD, then attached one HDD(/dev/sdb) to the system for media storage. The basic idea was to create one container for Plex app and one for rtorrent app. I would like to share the same space(disk) between these containers. On the host I mounted /dev/sdb1 to /mnt/mediastorage, and created a user called "mediastorage"(110:117) and add access to this space. Both of the containers I added this(/mnt/mediastorage) to /mediastorage mount point.Like this: mp0: /mnt/mediastorage/,mp=/mediastorage After that,I tried to grant access for these files for plex(107:115) user in the "plex" container: lxc.idmap: u 0 100000 107 lxc.idmap: u 107 110 1 lxc.idmap: u 108 100125 64410 lxc.idmap: g 0 100000 115 lxc.idmap: g 115 117 1 lxc.idmap: g 116 100136 64399 On the host I did this: root@proxmox:~# cat /etc/subuid root:100000:65536 root:110:1 root@proxmox:~# cat /etc/subgid root:100000:65536 root:117:1 Later, I created the other container, where created a user called rtorrent(107:115) and did the same config like the "plex" container. There was a moment where everything seemd fine but after a reboot(host) incomprehensive things happened like this: Previous thread where it started Noticed that at the "plex" container, appeared a new entry in the /etc/passwd file: mediastorage:x:108:116:...etc /etc/group: mediastorage:x:116: -these were not there earlier and the container was in shutdown state. root@plex:/# ls -al /home total 12 drwxr-xr-x 3 root root 4096 Jan 23 20:57 . drwxr-xr-x 23 root root 4096 Jan 24 22:42 .. drwxr-xr-x 2 nobody nogroup 4096 Jan 23 20:57 mediastorage Can somebody explain it what happened here please? How can I achieve my main idea?(share storage between the containers) Is it possible in this way? **EDIT1:** Reinstalled the container, first mounted the /mediastorage than installed plex than add uid mapping to the container's config.(Somewhere I read that maxbe it will work).Now the storage works but the plex service can't start because of permission issues. From the host -- lxc container's disk mounted as /mnt/lxc102: /mnt/lxc102/etc/passwd: plex:x:107:115::/var/lib/plexmediaserver:/bin/bash /mnt/lxc102/etc/group: plex:x:115: ls -al /mnt/lxc102: drwxr-xr-x 2 100000 100000 4096 Jan 25 23:22 mediastorage ls -al /mnt/lxc102/var/lib: drwxr-xr-x 3 100107 100115 4096 Jan 25 23:25 plexmediaserver On the container, the plexmediaserver directory listed as nobody:nogroup again.

If a user has an UID but no name, ie:

$ whoami
whoami: cannot find name for user ID 1001
$ id
uid=1001 gid=0(root) groups=0(root)

is it possible to change the UID but still leave the user name undefined? ----- System info:

$ cat /proc/version
Linux version 4.15.0-88-generic (buildd@lgw01-amd64-036) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #88~16.04.1-Ubuntu SMP Wed Feb 12 04:19:15 UTC 2020

I have a piece of equipment running a yocto build. This build includes services like ssh-server, mysql, and ntp, with each run as their own users. mysql is UID 999, sshd is UID 998, etc. In my latest yocto build, a new user called messagebus was added with UID 999. So now mysql is 998, and sshd is 997. This will break my system if I upgrade to it, because there is a variable partition with things like database files, which mysql needs access to, and are owned by UID 999. How can I tell yocto which UIDs and GIDs I want to use for those services? I'm finding a lot of information on how to do it for new recipes that I create, but not how to do it for existing recipes. I tried turning on

= "useradd-staticids"

in my local.conf, but that didn't do anything. It seems those recipes don't have the needed passwd and group files because when I also turned on

= "error"

, I was getting errors for those services. I tried to create a recipe for mariadb that just did

:prepend := "${THISDIR}/files:"

and then I had files passwd and group that had

:x:999:999::/var/mysql:/bin/false

and

:x:999:

respectively. I compiled this, and it built, but the rootfs

/etc/passwd

file still had 998 as the UID. Any ideas? Ideally I'd like to manage all this with just one file, but I'll have separate bbappends for each recipe if I have to do it that way.

I expected

uid=0(root) gid=0(root) groups=0(root)

to be the output of both

$ rootlesskit id

$ unshare -U bash -c 'newuidmap $$ 0 '"$(id -u)"' 1; id'

however the somewhat more verbose -x command

$ unshare -U bash -xc 'newuidmap $$ 0 '"$(id -u)"' 1; id'

yields instaed

+ newuidmap 41372 0 1000 1
newuidmap: uid range 0-1) -> [1000-1001) not allowed
+ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

Why makes newuidmap think that mapping a user's uid to 0 in an new user namespace would be dissallowed? My understanding of info contained in [man 7 user_namespaces is that any user (assuming CONFIG_USER_NS_UNPRIVILEGED is configured) can do an unshare or clone in order to create a new user namespace (setting the flag CLONE_NEWUSER). Now I now that the main "additional value" of newuidmap is to map the ranges specified in /etc/subuid however, I strace the working rootlesskit shows:

[pid 35921] execve("/usr/bin/newuidmap", ["newuidmap", "35909", "0", "1000", "1", "1", "200000", "65536"], 0xc000002480 /* 44 vars */ 
[....]
[pid 35921] openat(3, "uid_map", O_WRONLY) = 5
[pid 35921] write(5, "0 1000 1\n1 200000 65536\n", 24) = 24

eventually Also of course it is totally possible to do the mapping even without newuidmap

[user1@host tmp]$ cat > unshare.c 
#include 
#include 
#include 
#include 
#include 

int main(int argc, char* argv[])
{
    int fd_uidmap;
    char mapping;
    sprintf(mapping,"0 %ld 1\n",(unsigned int) geteuid());
    if (unshare(CLONE_NEWUSER) == -1)
    {
        puts("error\n");
        exit(1);
    }
    fd_uidmap = open("/proc/self/uid_map",O_RDWR,NULL);
    write(fd_uidmap,mapping,strlen(mapping));
    close(fd_uidmap);
    execvp(argv[1] , argv+1);
    return 0;
}
EOF
[user1@host tmp]$ gcc unshare.c -o unshare
[user1@host tmp]$ ./unshare id
uid=0(root) gid=65534(nobody) groups=65534(nobody)

Why does global root (root in the initial user namespace) not have the ability to read all files regardless of permission when ID-mapped mounts (see "ID-mapped mounts" under man 2 mount_setattr and "X-mount.idmap" under man 8 mount ) are in use? Minimal test case:

dd if=/dev/zero of=/tmp/idmaptest bs=1M count=10
mkfs.ext4 /tmp/idmaptest
mount /tmp/idmaptest /mnt -o X-mount.idmap=1000:0:1
ls -l /mnt/lost+found

After doing all of the above as root, the final command will fail with a permission denied error. (By the way, this isn't specific to lost+found. Any other directory that's not world-readable will exhibit the same behavior.) This surprises me, because I definitely have CAP_DAC_READ_SEARCH and CAP_DAC_OVERRIDE in the initial user namespace, and man 7 user_namespaces says "If a process has a capability in a user namespace, then it has that capability in all child (and further removed descendant) namespaces as well.", so I expect to have them everywhere. Even weirder, if I try to do chmod 755 /mnt/lost+found, it fails with EOVERFLOW (Value too large for defined data type), which man 2 chmod doesn't even mention as a possible error from that syscall. Is what I'm seeing intentional behavior, or a bug? If it's intentional, why? And either way, is there any workaround other than unmounting and remounting it without ID mapping enabled?

The info page of command id states that it will output the effective user ID if different from the real user ID. I have been trying to achieve that somehow, running the command with the Bash shell as my normal (unprivileged) user, in Ubuntu. For example, I tried the example in the answer by @Asain Kujovic [here](https://unix.stackexchange.com/a/399349/493379) but it didn't work, I get not euid in the output whatsoever. This is the example:

osbo@osboxes:~/t$ sudo gcc -o test.bin -xc - 
     #include 
     int main() { seteuid(0); system("id"); }
EOF
osbo@osboxes:~/t$ sudo chmod +s test.bin && ./test.bin && sudo rm test.bin
uid=1000(osbo) gid=1000(osboxes) groups=1000(osboxes),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),113(bluetooth),119(scanner)

**EDIT**:
I'm a beginner in Linux, so beginner-friendly answers are welcome, if that is possible for the question I made. I know what is a shell program (like Bash or sh), what are environment variables, what is a C program and what are system calls such as getuid and geteuid. I also know what are real, effective and saved user/group ID, as related to a process a user spawns. Yet, I know very little about parent-child processes scenarios, or the strace command.

I would like to create & start LXC container for specific UID & GID for below purpose. Login to root user(sudo user) , Do lxc-create of container, then do lxc-start of the container with same root user id. while staring container I need to start all the process inside the container with low privilege(un-priv) user id in which access to the user is restricted to only container and not to host.basically when I say ps -axu , I should be able to see low privilege user id for all the container process. PS : my host which is VM with ubuntu 16.04 LTS is systemd init system and my container(type busybox) will be started with systemd services . for that I have modified busybox template as below Code: lxc.init_cmd=/lib/systemd/systemd and also removed all rcS & inittab related scripts in the busybox default template and for user id map , I have changed as below in my template Code: lxc.id_map=u 0 165536 65536 lxc.id_map=g 0 165536 65536 after that I just followed below steps Container created normally with below commend (and I cross checked config file at /var/lib/lxc/testecho_uid/config to make sure that all my template changes are reflected or not, found ok) Code: sudo lxc-create -n testecho_uid -t busybox_systemd_uid Entered below command to start the container with foreground Code: sudo lxc-start -n testecho_uid -F Error is : vijay@vijay-VirtualBox:~$ sudo lxc-start -n testecho_uid -F lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid: No such file or directory lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid-1: No such file or directory newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping lxc-start: start.c: __lxc_start: 1353 failed to spawn 'testecho_uid' newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/systemd//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/perf_event//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/hugetlb//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpu//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/memory//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/pids//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/blkio//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpuset//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/net_cls//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/devices//lxc/testecho_uid-2 newuidmap: uid range [0-65536) -> [165536-231072) not allowed lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/freezer//lxc/testecho_uid-2 lxc-start: lxc_start.c: main: 344 The container failed to start. lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options. Can anyone please tell me whether I am missing anything here. below are my ubuntu 16.04 setup for uid & gid Code: vijay@vijay-VirtualBox:~$ sudo cat /etc/subgid vijay:100000:65536 usrlxc:165536:65536 vijay:165536:65537 Code: vijay@vijay-VirtualBox:~$ sudo cat /etc/subuid vijay:100000:65536 usrlxc:165536:65536 vijay:165536:65537 ---------- if above my question is not clear , please see below one more question similar to same scenario. Is there a way to access(lxc start & attach) unprivileged container from root user or sudo user . That is , I have created , started and attached un-priv container using lxc user(not sudo user/root user) by login into lxc user without any issue. Now I would like to start & attach the lxc user created un-priv container from root user or sudo user. Is that possible? if yes please let me know how to do that?. I checked lxc-ls from sudo/root user and it just listed only the containers created by sudo user and does not display the container created by lxc user. or All the processes/threads of Privilege container can be executed/run for specific UID(eg: lxc user) by root/sudo user while doing lxc-start or by any means? I also tried by giving below lxc user uid & gid in config(ultimately changing busybox template). it gave above comment error. Code: lxc.id_map=u 0 165536 65536 lxc.id_map=g 0 165536 65536 I tried all the possible way , but no luck , please educate me this topic. Below are user detail in my ubuntu desktop lxc user --> "usrlxc" which I have created as part of un-priv container creation experiment. Sudo user --> "vijay" - this is sudo user in my ubuntu 16.04 Virtual box machine. root user --> # which all of you aware Please let me know if any information from my ubuntu setup or lxc config

The [ArchWiki - rsnapshot page](https://wiki.archlinux.org/title/rsnapshot) mentions creating multiple users with uid and gid set to 0 as a means of creating users that login remotely to perform backups. >One thing you can do to mitigate the potential damage from a backup server breach is to create alternate users on the client machines with **uid** and **gid** set to 0, but with a more restrictive shell such as scponly. I assume that the purpose is to give those accounts the read-write-execute permissions of the root user with the proviso their login shell gives them reduced rights. Does that mean that even if accounts have the same gid and uid they are still distinguished by account name and having the same gid and uid gives them same access rights that ?

I have a friend who works at a business where the IT guy has passed away and I am trying to help them until they can hire someone else. It is a workgroup networked with a Linux server. They recently hired a new employee who is needing access to their file share. I have never used Linux but tried to create a user but he can not access the file share. When he tried to access the server \\server1 he of course can not connect to it. Here is where I'm at so far. I created a user on their server name chris and added him to what I believe are the groups. The user cary is set up correctly and can access the file share so I am trying to copy his access. The following is the id chris and id cary and what I think may be the issue. uid=1010(cary) gid=100(users) groups=100(users),101(cad),1005(samba) uid=1035(chris) gid=1035(chris) groups=1035(chris),100(users),101(cad),1005(samba) I see chris has the first gid of 1035 so I'm assuming it needs to be changed to 100. He then has groups=1035(chris) that shouldn't be there at all? Any help would be appreciated! Thanks!

In Root Explorer I have the option 9997-everybody and 9999-nobody. If I change the owner of any file to everybody:everybody, will it be fully editable by all users? This user does not exist on the Ubuntu/Linux system, does its existence have any meaning?

After reading https://unix.stackexchange.com/a/222376/246754 How rpm ensure that no uid/gid clash with each other ? What I am looking is similar to https://github.com/NixOS/nixpkgs/blob/68196a61c26748d3e53a6803de3d2f8c69f27831/nixos/modules/config/users-groups.nix#L640-L642 (given for comparison) I have though to building a VM and take the /etc/passwd to see taken uid. It doesn't fully anser my need because 174 is not their by default. Again nix also reserve some uid like 0 for root https://github.com/NixOS/nixpkgs/commit/dba1d48b7897c49e5df9430c6b60f17e03ec361e and I can see the list without building a VM or can query with the cli. They also have an allocator for id so I don't have to manage it. This is a scriptlet run when rebuilding /etc/passwd PS: I have tagged rpm-spec because the linked question is about RPM but the problem is more likely to happen to other tools like apt, yum, pacman, brew... If you have knowledge for other system please create another question and answer it (to keep Q&A style) or comment

Following docker instructions , I've run a docker with dockerd --userns-remap=default which added this line to the /etc/subuid file: dockremap:165536:65536 I don't understand what it means, please explain.

I am on Ubuntu 22.04. I noticed that the tty which runs the Ubuntu GUI periodically changes from tty2, to tty3, what is the reason for this? I also noticed other UID changes, for instance tty1 has always been the login screen but I recently saw that the UID changed from root(0) to gdm (127)? What could explain these UID changes?

I am struggling with a loop over users id, i want to list all the users in /etc/passwd whose id are greater than 999, it doesn't recognize my if .. fi sentence and it is important to say that I am working with the minimal installation so I don't have commands as 'awk', this is my actual code cat /etc/passwd | while IFS=: read name pass uid gid geos home; do if [$uid > 999]; then echo $name di done; I have also tried with -gt but it does't work either

I'm trying to change the UID of user ec2-user to 500, when I try the following command getting the error UID already exists. sudo usermod -u 500 ec2-user usermod: UID '500' already exists I'm doing a grep of /etc/passwd and can't find UID 500, so not sure how I can accomplish this.

I am trying to look at the source code of the passwd and gpasswd programs . These tools check the effective UID set to zero to complete execution successfully. But I am a noob to C and couldn't find the line of code that checks if the process is being run by UID == 0. I would appreciate any hints or solutions.

Say I have a user named *user* with UID *1001* on one system and the same user (named *user*) with another UID, let's say *1002*. If I unplug the disk drive from the second system and plug it into the first, is there an elegant way to act as if UID 1002 on the newly added drive is the same as UID 1001 on the current system (without actually scanning the file tree and chown'ing 1002 to 1001)?

Trying to learn about UIDs and GIDs. Various online reading led me to believe that my UID is saved in /etc/passwd, but this doesn't appear to be the case on a server where I work:

$ whoami
user1
$ cat /etc/passwd | grep user1
$

**Is there a(nother) file besides /etc/passwd that could contain my UID?** (I'm assuming UID is similar to GID in that there is a file somewhere that contains it. I've found the GID I'm interested in in the file /etc/group) I know that I can get my UID with the command id -u, but for this question, I'm specifically interested in learning whether there's a _file_ that contains it.