[Buildroot] Failed to build in a user namespace without the root user

Esben Nielsen nielsen.esben at gmail.com
Wed Apr 3 15:46:45 UTC 2019


Without FAKEROOTDONTTRYCHOWN it ends up in the kernel, which does a
lookup in the current user namespace and looks for uid 0 - which is
not there. Then it returns EINVAL, not EPERM.
When I set FAKEROOTDONTTRYCHOWN (from outside buildroot), I don't get that.

Hints how to reproduce:

bwrap --bind / / --uid 1000 --gid 1000 --dev /dev <make command>

bwrap 0.3.0 is compiled as user without suid bit set.

/Esben


On Tue, Apr 2, 2019 at 8:41 PM Peter Korsgaard <peter at korsgaard.com> wrote:
>
> >>>>> "Esben" == Esben Nielsen <nielsen.esben at gmail.com> writes:
>
>  > I try to build in an unpriviliged container (using bubblewrap), where
>  > I only have a single user id, not uid 0.
>
> Sounds special, but OK.
>
>  > I found the issue was in fakeroot, which per default when it does
>  > chown, it also asks the kernel if the id it does chown to actually
>  > exists. This is the default behaviour.
>
> Sorry, where do you see that? Looking at the fakeroot code, the only
> thing FAKEROOTDONTTRYCHOWN controls is if the wrapped chown also calls
> the real chown syscall:
>
> int chown(const char *path, uid_t owner, gid_t group){
> ..
>   if(!dont_try_chown())
>     r=next_lchown(path,owner,group);
>   else
>     r=0;
>   if(r&&(errno==EPERM))
>     r=0;
>
>   return r;
>
> Does lchown(path, 0, 0); return anything else than EPERM in your
> bubblewrap setup?
>
>
>  > Shouldn't it totally ignore the uid and gid map in the user namespace
>  > in the kernel?
>
> The goal is indeed that Buildroot builds do not differ based on the
> build host. We are not there yet though.
>
>
>  > Shoudln't that be default in buildroot? It is totally irrelevant,
>  > which is uids are mapped on the host when building a rootfs to run
>  > somewhere else.
>
> I have no problem with setting this environment variable the one place
> in fs/common.mk where we invoke fakeroot as there is indeed no reason to
> try to perform a chown "for real" for the Buildroot use cases, but I
> would like to understand what goes wrong exactly for you?
>
> --
> Bye, Peter Korsgaard


More information about the buildroot mailing list