https://www.scrivano.org/tags/user-namespace/ Recent content in User Namespace on *scratch* Hugo en Sat, 06 Jun 2026 10:03:54 +0000 https://www.scrivano.org/2019/01/10/suid-binaries-from-a-user-namespace/ Thu, 10 Jan 2019 21:49:30 +0000 https://www.scrivano.org/2019/01/10/suid-binaries-from-a-user-namespace/ <p>Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user. The reason is that a setuid binary created inside a user namespace can retain access to any UID that was mapped in that namespace, even after the namespace is destroyed. If the same UID range is later assigned to a different user, that new user would inherit access to files owned by the old user&rsquo;s containers.</p> https://www.scrivano.org/2018/07/19/become-root-in-an-user-namespace/ Thu, 19 Jul 2018 08:28:06 +0000 https://www.scrivano.org/2018/07/19/become-root-in-an-user-namespace/ <p>I’ve cleaned up some C files I was using locally for hacking with user namespaces and uploaded them to a new repository on github: <a href="https://github.com/giuseppe/become-root">https://github.com/giuseppe/become-root</a>. The tool creates a new user namespace and maps the caller to UID 0 inside it, while also mapping additional UIDs and GIDs from the ranges allocated in <em>/etc/subuid</em> and <em>/etc/subgid</em>. This is the foundation needed for rootless containers, which require a full UID/GID mapping — not just the single-UID mapping that <em>unshare -r</em> provides — to correctly represent file ownership inside container images.</p>