default to using the root user in the namespace

map the user as root, so it has privileges to user owned files outside
the namespace

Signed-off-by: Zen <[email protected]>

Author: desultory

src/zenlib/util/namespace.py

@@ -1,5 +1,5 @@
 from multiprocessing import Event, Pipe, Process, Queue
-from os import CLONE_NEWNS, CLONE_NEWUSER, chroot, getlogin, setgid, setuid, unshare
+from os import CLONE_NEWNS, CLONE_NEWUSER, chroot, getlogin, setgid, setuid, getuid, getgid, unshare
 from subprocess import CalledProcessError, run
 
 
@@ -20,16 +20,16 @@ def get_id_map(username=None, id_type="uid"):
     raise ValueError(f"User {username} not found in /etc/sub{id_type}")
 
 
-def new_id_map(id_type, pid, id, nsid, count=2**16, failures=0):
+def new_id_map(id_type, pid, id, nsid, count=1, *args, failures=0):
     if id_type not in ("uid", "gid"):
         raise ValueError("id_type must be 'uid' or 'gid")
-    args = [f"new{id_type}map", str(pid), str(id), str(nsid), str(count)]
+    cmd_args = [f"new{id_type}map", str(pid), str(id), str(nsid), str(count), *map(str, args)]
     try:
-        return run(args, check=True)
+        return run(cmd_args, check=True)
     except CalledProcessError as e:
         if failures > 5:
             raise e
-    new_id_map(id_type, pid, id, nsid, count, failures + 1)
+    new_id_map(id_type, pid, id, nsid, count, *args, failures=failures + 1)
 
 
 class NamespaceProcess(Process):
@@ -38,21 +38,21 @@ class NamespaceProcess(Process):
     """
 
     def __init__(self, target=None, args=None, kwargs=None, **ekwargs):
-        self.uid = int(kwargs.pop("uid", 0))
-        self.gid = int(kwargs.pop("gid", 0))
         self.target_root = kwargs.pop("target_root", "/")
         namespace_user = kwargs.pop("namespace_user", getlogin())
         self.subuid_start, self.subuid_count = get_id_map(namespace_user, "uid")
         self.subgid_start, self.subgid_count = get_id_map(namespace_user, "gid")
+        self.orig_uid = getuid()
+        self.orig_gid = getgid()
         self.uidmapped = Event()
         self.completed = Event()
         self.exception_recv, self.exception_send = Pipe()
         self.function_queue = Queue()
         super().__init__(target=target, args=args, kwargs=kwargs, **ekwargs)
 
     def map_ids(self):
-        new_id_map("uid", self.pid, self.uid, self.subuid_start, self.subuid_count)
-        new_id_map("gid", self.pid, self.gid, self.subgid_start, self.subgid_count)
+        new_id_map("uid", self.pid, 0, self.orig_uid, 1, 1, self.subuid_start, self.subuid_count)
+        new_id_map("gid", self.pid, 0, self.orig_gid, 1, 1, self.subgid_start, self.subgid_count)
 
     def map_unshare_uids(self):
         self.start()
@@ -62,8 +62,8 @@ def map_unshare_uids(self):
     def run(self):
         unshare_namespace()
         self.uidmapped.wait()
-        setuid(self.uid)
-        setgid(self.gid)
+        setuid(0)
+        setgid(0)
         chroot(self.target_root)
         try:
             self.function_queue.put(self._target(*self._args, **self._kwargs))

tests/test_namespace.py

@@ -28,9 +28,6 @@ def test_user_namespace_func(self):
     def test_user_namespace_uid_gid(self):
         self.assertEqual(nsexec(test_uid_gid), (0, 0))
 
-    def test_user_namespace_alt_uid_gid(self):
-        self.assertEqual(nsexec(test_uid_gid, uid=9999, gid=9999), (9999, 9999))
-
 
 if __name__ == "__main__":
     main()