Rootful podman ubi8 keep-id basename

[th-hummel]

Hello,

using podman-5.2.5 on Fedora 41 x86_64, when I run an ubi8 container with --userns=keep-id option as root (for the sake of it I have no real need to do so), it prints the following error message:

# podman run -it --rm --userns=keep-id ubi8:latest /bin/bash
basename: missing operand
Try 'basename --help' for more information.

This happens whether or not root or containers have subuids/subgids

There is no error with host namespace

# podman run -it --rm --userns=host ubi8:latest /bin/bash
[root@b48e6c5e4783 /]# 

As a more general question, my understanding was that for such cases as --userns=nomap or keep-id or auto for rootless users, 2 nested usernamespaces were required/created (as shown by lsns -t user -T) to get the correct mapping.
This seems logical to me after some thought.

keep-id with rootful though seems to create only one usernamespace (againg shown with lsns), which seems logical at first too, but I don't understand how it can write the mapping 0 0 0 4294967295 inside without root having any subuids in the parent (global) usernamespace, nor why permission to follow the /proc/$$/ns/user symlink is denied (I can do that in other modes/usecases) ?
Or maybe I'm wrong and it stays in the global usernamespace

Thanks for your help

--
Thomas HUMMEL

[nalind]

The error is coming from the /etc/profile.d/which2.sh shell snippet, which is trying to determine exactly which shell it's running under by reading what the shell process is using as an interpreter using basename $(readlink /proc/$$/exe). /proc/1/exe is not readable, so readlink is returning an empty string.

[th-hummel]

Thanks for your answer. I see.

I don't understand why /proc/$$/exe or as I stated ns symlinks are not readable in such a case (see my questions above namespace handling above).

--
Thomas HUMMEL

[nalind]

I believe that's a mitigation for CVE-2019-5736.

[th-hummel]

Oh I see.

Still remains the question of how can uid_maps map be written as described previoulsy without subuids in the parent namespace (if I'm right thinking there's a child namespace in my case).

Thanks again

[nalind]

The /etc/subuid and /etc/subgid files, and their equivalents, are consumed by the newuidmap and newgidmap helpers, which use those contents to limit which mappings they'll write on behalf of a caller, but the kernel doesn't require that if the process writing to the maps has sufficient privileges, per user_namespaces(7).
You can confirm whether or not you're in the same user namespace using readlink or ls -l on /proc/self/ns/user.

[th-hummel]

Oh ok.

But podman seems to somehow rely on newuidmap (at least for some use) as it requires a rootless user has enough subuids (listed in /etc/subuid) to accomodate the ones in the image and even requires 'containers' subuids for rootful. Hence my confusion on why he could not require them in some other cases.

I know about the /proc//ns/user link but as you confirmed above, in this particular case, it was not permitted to read it. So I was sort of blind for that matter (I could user --privileged but I was unsure if it modified usernamespace creation or not)

Finally, can you confirm or infim my understanding that in a rootless case settings like --userns=nomap and the like cause 2 nested usernamespaces (the outter one where user is mapped as root and the inner one implementing wanted mapping (mapping described by the userns option value) ?
Apart directly writing the target mapping in only one usernamespace, using such an indirection (an intermediate usernamespace) is the only way I can think of succeeding in reaching such target mappings.

I find it somehow useful to understand what's going on underneath podman to actually understand how to fully use its options in a reasonable way.
Thanks again.

[rhatdan]

Podman attempts to join a user namespace via newuidmap and newgidmap by reading those files and finding the range, If it does not find a range it just creates a user namespace with it's UID mapped to Root in the usernamespace. And will fail if it attempts to do anything with a separate UID, for example podman pull of an image with more then one UID.