Jump to content
funtoo forums
  • 0
klipkyle

[Solved] useradd refuses to create a user when LXD is configured with subuid/subgid

Question

Recently, I followed the LXD setup instructions: https://www.funtoo.org/LXD

One of the steps is creating /etc/subuid and /etc/subgid and giving root very large ranges.  From my understanding, this sets up unprivileged containers.  I.e. "root" inside of a container is actually an unprivileged user inside the defined range in subuid.

However, when I tried to add a temporary test user today, I got hung up trying to solve an ancillary problem:

kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1111 test
useradd: Can't get unique subordinate UID range
useradd: can't create subordinate user IDs

useradd also exits with exit code 16, which is undocumented in its man page.  (Slightly annoying)

It turns out that useradd attempts to modify subuid and subgid to allocate individual "extra" subranges for each user.  Of course this is configurable in login.defs.

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN			 1000
UID_MAX			60000
# System accounts
SYS_UID_MIN		  101
SYS_UID_MAX		  999
# Extra per user uids
SUB_UID_MIN		   100000
SUB_UID_MAX		600100000
SUB_UID_COUNT		    65536

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
SYS_GID_MIN		  101
SYS_GID_MAX		  999
# Extra per user group ids
SUB_GID_MIN		   100000
SUB_GID_MAX		600100000
SUB_GID_COUNT		    65536

So, my questions are:

  • Considering LXD handles privilege management, should unprivileged users have a subrange at all?
  • What is the best way to bring useradd to a usable state again?  Ideally, I would like to disable adding a subrange.  (I tried setting SUB_UID_COUNT to 0.)  However, I suppose I can mess around with the ranges.

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 1

Thats exactly how I had fixed mine, with login.defs. Just change the SUB_UID_MAX  and SUB_GID_MAX

UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               101
SYS_UID_MAX               999
# Extra per user uids
SUB_UID_MIN                100000
SUB_UID_MAX             2000000000
SUB_UID_COUNT               65536

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               101
SYS_GID_MAX               999
# Extra per user group ids
SUB_GID_MIN                100000
SUB_GID_MAX             20000000000
SUB_GID_COUNT               65536

 

Share this post


Link to post
Share on other sites
  • 0

OK, interesting, this means that as you found, the defaults in login.defs are not wonderful.

From the useradd man page (see bolded part):

SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
           If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user.

So this means, when you created /etc/subuid, you magically enabled useradd to try to start assigning subuid ranges to new users. And by default, its subuid range conflicts with the one in our LXD docs -- LXD eats up this range.

There is no point for useradd to be assigning subuids and subgids to new users it creates by default. It's a cool feature if you need it, I guess, but it should be off by default.

So /etc/login.defs should have SUB_GID_COUNT and SUB_UID_COUNT set to 0 by default.

Also see bcowan's bug report and my response here: https://bugs.funtoo.org/browse/FL-6773

 

 

Share this post


Link to post
Share on other sites
  • 0
On 10/20/2019 at 9:09 PM, drobbins said:

So /etc/login.defs should have SUB_GID_COUNT and SUB_UID_COUNT set to 0 by default.

I tried setting those variables to 0, but useradd still complains even though the ranges have plenty of subuids/subgids to allocate.  Maybe shadow-utils doesn't support this configuration?

kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1112 test2
Password: 
useradd: Can't get unique subordinate UID range
useradd: can't create subordinate user IDs
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN			 1000
UID_MAX			60000
# System accounts
SYS_UID_MIN		  101
SYS_UID_MAX		  999
# Extra per user uids
SUB_UID_MIN		   100000
SUB_UID_MAX	       2000000000
SUB_UID_COUNT			0

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
SYS_GID_MIN		  101
SYS_GID_MAX		  999
# Extra per user group ids
SUB_GID_MIN		   100000
SUB_GID_MAX	       2000000000
SUB_GID_COUNT			0

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...