1lxc-usernsexec(1)                                            lxc-usernsexec(1)
2
3
4

NAME

6       lxc-usernsexec - Run a task as root in a new user namespace.
7

SYNOPSIS

9       lxc-usernsexec [-m uid-map] {-- command}
10

DESCRIPTION

12       lxc-usernsexec  can  be  used to run a task as root in a new user name‐
13       space.
14

OPTIONS

16       -m uid-map
17              The uid map to use in the user namespace. Each map  consists  of
18              four colon-separate values. First a character 'u', 'g' or 'b' to
19              specify whether this map pertains to user  ids,  group  ids,  or
20              both;  next  the  first  userid  in the user namespace; next the
21              first userid as seen on the host; and finally the number of  ids
22              to be mapped.
23
24              More than one map can be specified. If no map is specified, then
25              by default the full uid and gid ranges  granted  by  /etc/subuid
26              and  /etc/subgid will be mapped to the uids and gids starting at
27              0 in the container.
28
29              Note that lxc-usernsexec always tries to setuid and setgid to  0
30              in  the  namespace.  Therefore  uid  0  in the namespace must be
31              mapped.
32

EXAMPLES

34       To spawn a shell with the full allotted subuids mapped  into  the  con‐
35       tainer, use
36
37              lxc-usernsexec
38
39
40       To run a different shell than /bin/sh, use
41
42              lxc-usernsexec -- /bin/bash
43
44
45       If  your  user id is 1000, root in a container is mapped to 190000, and
46       you wish to chown a file you own to root in the container, you can use:
47
48              lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
49
50
51       This maps your userid to root in the user namespace, and 190000 to  uid
52       1.   Since  root  in  the user namespace is privileged over all userids
53       mapped into the namespace, you are allowed to change  the  file  owner‐
54       ship, which you could not do on the host using a simple chown.
55

SEE ALSO

57       lxc(7),  lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-
58       stop(1), lxc-execute(1), lxc-console(1),  lxc-monitor(1),  lxc-wait(1),
59       lxc-cgroup(1),  lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1),
60       lxc-attach(1), lxc.conf(5)
61

AUTHOR

63       Serge Hallyn <serge.hallyn@ubuntu.com>
64
65
66
67                                  2021-05-08                 lxc-usernsexec(1)
Impressum