On Sun, Jan 09, 2022 at 04:31:39PM +0000, Laurent Bercot wrote: > Unless I'm mistaken, however, s6-setuidgid and s6-applyuidgid really > don't make any sense for non-root users. Maybe s6-applyuidgid to > restrict your own supplementary groups or change your primary group, > and still, that's a stretch.
Yes, you are missing a potential setup for unprivileged user namespaces. There can be multiple u/gids assigned to a user namespace (usually in the high >= 100000 range outside the namespace), providing a "fake" root user (e.g. 100000 outside the namespace) to start with and several "fake" unprivileged users (e.g. >= 100001 outside the namespace) to drop to. This is how unmodified distributions can run in the container solution of your choice without falling over themselves because they assume there are unprivileged u/gids available when installing packages. To unprivileged users such ranges are available if they have been assigned to them by the admin in /etc/sub(u|g)id. Then the suid shadow utilities newuidmap(1) or newgidmap(1) can be used to create u/gid mappings. (Normally unprivileged users are only allowed to create a 1 u/gid long range mapping to their own u/gid.) In such a namespace s6-setuidgid would make sense to use to be able to drop privileges from that "fake" root to another "fake" unprivileged user. > For the "copy a hierarchy" thing, yeah, I can understand that it's > frustrating. Would 0744 be acceptable? Yes, 0744 would be acceptable for the "copy a hierarchy thing". The user namespace thing would require at least 0755 though.