Disable or configure properly uid|gid remapping.

[donob4n]

Hi,

"abuilds rootbld" runs bwrap on a new generated chroot with apk and theorically the local user is part of the "abuild" group. This worked fine during months or years but now it fails because the user is not member of any group (all it's groups are nobody and even root is nobody... altougth the chroot has the same "passwd" & "group" files from the host). It seems that bwrap edits the /proc/self/uid_map for the process and it only can see the uid 1000. I tried many options related with user namespaces and always end in the same result. This is the current call:

        local bwrap_opts=""
        options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
        bwrap --unshare-ipc --unshare-uts $bwrap_opts \
                --ro-bind "$BUILD_ROOT" / \
                --proc /proc \
                --dev-bind /dev /dev \
                --bind "$BUILD_ROOT/$HOME" "$HOME" \
                --ro-bind "$HOME/.abuild" "$HOME/.abuild" \
                --ro-bind "$aportsgit" "$aportsgit" \
                ${USE_CCACHE:+ --bind "$HOME/.ccache" "$HOME/.ccache"} \
                --bind "$SRCDEST" "$SRCDEST" \
                --bind "$BUILD_ROOT/tmp" /tmp \
                --bind "$BUILD_ROOT/tmp/src" "$srcdir" \
                --bind "$BUILD_ROOT/tmp/pkg" "$pkgbasedir" \
                --bind "$REPODEST" "$REPODEST" \
                --hostname "build-$buildhost-$CARCH" \
                --chdir "$startdir" \
                --setenv PATH ${USE_CCACHE:+/usr/lib/ccache/bin:}/bin:/usr/bin:/sbin:/usr/sbin \
                --setenv FAKEROOTDONTTRYCHOWN 1 \
                --unsetenv CBUILD \
                /usr/bin/abuild $force rootbld_actions

Does someone know what should I do for disable this behaviour or add the users/groups that I need?

[smcv]

the user is not member of any group (all it's groups are nobody and even root is nobody... altougth the chroot has the same "passwd" & "group" files from the host)

This is not really fixable. The kernel will only allow unprivileged users to map one user ID and one group ID into the new user namespace; every other user ID gets mapped to the overflow uid (usually nobody) and every other group ID gets mapped to the overflow gid (nogroup). bubblewrap does not have control over this.

At the moment it's always the primary group (gid= in id output) that is preserved.

It is possible to choose which single group from among your user's groups gets preserved, by using sg:

$ id
uid=1000(smcv) gid=1000(smcv) groups=1000(smcv),4(adm),[...]
$ bwrap --dev-bind / / id            
uid=1000(smcv) gid=1000(smcv) groups=1000(smcv),65534(nogroup)
$ sg adm -c 'bwrap --dev-bind / / id' 
uid=1000(smcv) gid=4(adm) groups=4(adm),65534(nogroup)

or by editing /etc/passwd to make that group your target user's primary group. However, that relies on sg being setuid, so as far as I'm aware, bwrap cannot do the same thing internally.

[donob4n]

And there is no option for run the process in the parent namespace? Just disable this isolation freature, would be a patch for doing it accepted? (Something like --share-user)

[donob4n]

Well, it seems that our problem is here https://github.com/containers/bubblewrap/blob/main/bubblewrap.c#L2724

--unshare-user is forced if we are not root/suid but there is no "--share-user" opt... What is the motivation for forcing this behaviour?

[nekopsykose]

you can see c0725af, and e2b76fe

specifically, it's not possible to --share-user unless bwrap is setuid (privileged). these defaults are just condensing that to the default, and you can't really change that afaict

[rusty-snake]

What is the motivation for forcing this behaviour?

If bwrap is not setuid you can only mount
(--{ro-,dev-,}bind, ...) if you unshare the userns. Kernel restrictions.

[donob4n]

Ahh, I see. Thanks for clarification!