I have a small program, which tries to create a pseudoterminal after unshare. the output is:
uid before unshare:5000 uid after unshare:0 Grant pt Error: : Permission denied
The Code:
#define _GNU_SOURCE
#include <sys/mount.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sched.h>
void set_uid_map(pid_t pid, int inside_id, int outside_id, int length) {
char path[256];
sprintf(path, "/proc/%d/uid_map", getpid());
FILE* uid_map = fopen(path, "w");
fprintf(uid_map, "%d %d %d", inside_id, outside_id, length);
fclose(uid_map);
}
void set_gid_map(pid_t pid, int inside_id, int outside_id, int length) {
char path[256];
sprintf(path, "/proc/%d/gid_map", getpid());
FILE* gid_map = fopen(path, "w");
fprintf(gid_map, "%d %d %d", inside_id, outside_id, length);
fclose(gid_map);
}
int main(void)
{
int master;
int flag = 0;
flag |= CLONE_NEWUSER;
flag |= CLONE_NEWNS;
flag |= CLONE_NEWIPC;
flag |= CLONE_NEWNET;
flag |= CLONE_NEWUTS;
flag |= CLONE_NEWPID;
printf("uid before unshare:%d n", (int) getuid());
unshare(flag);
set_uid_map(getpid(), 0, 5000, 1);
set_gid_map(getpid(), 0, 5000, 1);
printf("uid after unshare:%d n", (int) getuid());
if ( ( master = posix_openpt(O_RDWR | O_NOCTTY) ) < 0)
perror("Openpt Error: ");
if ( grantpt(master) < 0 )
perror("Grant pt Error: ");
unlockpt(master);
return 0;
} // main
If I remove flag |= CLONE_NEWUSER;, there is not error reported. Can you help to explain why this happens? thanks in advance!
Advertisement
Answer
Since I’ve had the same issue I have also looked into this. Here are my findings:
grantpt(3) tries to ensure that the slave pseudo terminal has its group set to the special tty group (or whatever TTY_GROUP is when compiling glibc):
static int tty_gid = -1;
if (__glibc_unlikely (tty_gid == -1))
{
char *grtmpbuf;
struct group grbuf;
size_t grbuflen = __sysconf (_SC_GETGR_R_SIZE_MAX);
struct group *p;
/* Get the group ID of the special `tty' group. */
if (grbuflen == (size_t) -1L)
/* `sysconf' does not support _SC_GETGR_R_SIZE_MAX.
Try a moderate value. */
grbuflen = 1024;
grtmpbuf = (char *) __alloca (grbuflen);
__getgrnam_r (TTY_GROUP, &grbuf, grtmpbuf, grbuflen, &p);
if (p != NULL)
tty_gid = p->gr_gid;
}
gid_t gid = tty_gid == -1 ? __getgid () : tty_gid;
/* Make sure the group of the device is that special group. */
if (st.st_gid != gid)
{
if (__chown (buf, uid, gid) < 0)
goto helper;
}
On my system, the tty group is 5. However, that group isn’t mapped into your user namespace and the chown(2) fails because the GID 5 doesn’t exist. glibc then falls back to executing the pt_chown helper, which also fails. I haven’t looked into the details of why it fails, but I assume it’s because it’s setuid nobody unless you mapped the root user to your user namespace. Here’s strace output that shows the failing operation:
[pid 30] chown("/dev/pts/36", 1000, 5) = -1 EINVAL (Invalid argument)
The gives you a couple of methods to work around this problem:
- Map the required groups (i.e.
tty), which may not be possible withoutCAP_SYS_ADMINin the binary that opens the user namespace - Use subuids and subgids together with
newuidmap(1)andnewgidmap(1)to make these groups available (this might work, but I haven’t tested it). - Make changes that avoid the failure of the
chown(2)call, e.g. by using a mount namespace and changing the GID of thettygroup in/etc/groupsto your user’s GID. - Avoid the
chown(2)call, e.g. by making thest.st_gid != gidcheck false; this should be possible by deleting thettygroup from your target mount namespace’s/etc/groups. Of course, that may cause other problems.