One of the steps is creating /etc/subuid and /etc/subgid and giving root very large ranges. From my understanding, this sets up unprivileged containers. I.e. "root" inside of a container is actually an unprivileged user inside the defined range in subuid.
However, when I tried to add a temporary test user today, I got hung up trying to solve an ancillary problem:
kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1111 test
useradd: Can't get unique subordinate UID range
useradd: can't create subordinate user IDs
useradd also exits with exit code 16, which is undocumented in its man page. (Slightly annoying)
It turns out that useradd attempts to modify subuid and subgid to allocate individual "extra" subranges for each user. Of course this is configurable in login.defs.
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 101
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 101
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
So, my questions are:
Considering LXD handles privilege management, should unprivileged users have a subrange at all?
What is the best way to bring useradd to a usable state again? Ideally, I would like to disable adding a subrange. (I tried setting SUB_UID_COUNT to 0.) However, I suppose I can mess around with the ranges.
Question
klipkyle
Recently, I followed the LXD setup instructions: https://www.funtoo.org/LXD
One of the steps is creating /etc/subuid and /etc/subgid and giving root very large ranges. From my understanding, this sets up unprivileged containers. I.e. "root" inside of a container is actually an unprivileged user inside the defined range in subuid.
However, when I tried to add a temporary test user today, I got hung up trying to solve an ancillary problem:
kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1111 test useradd: Can't get unique subordinate UID range useradd: can't create subordinate user IDs
useradd also exits with exit code 16, which is undocumented in its man page. (Slightly annoying)
It turns out that useradd attempts to modify subuid and subgid to allocate individual "extra" subranges for each user. Of course this is configurable in login.defs.
# # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 101 SYS_UID_MAX 999 # Extra per user uids SUB_UID_MIN 100000 SUB_UID_MAX 600100000 SUB_UID_COUNT 65536 # # Min/max values for automatic gid selection in groupadd(8) # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 101 SYS_GID_MAX 999 # Extra per user group ids SUB_GID_MIN 100000 SUB_GID_MAX 600100000 SUB_GID_COUNT 65536
So, my questions are:
Link to comment
Share on other sites
6 answers to this question
Recommended Posts