1lxc-usernsexec(1) lxc-usernsexec(1)
2
3
4
6 lxc-usernsexec - Run a task as root in a new user namespace.
7
9 lxc-usernsexec [-m uid-map] {-- command}
10
12 lxc-usernsexec can be used to run a task as root in a new user names‐
13 pace.
14
16 -m uid-map
17 The uid map to use in the user namespace. Each map consists of
18 four colon-separate values. First a character 'u', 'g' or 'b' to
19 specify whether this map pertains to user ids, group ids, or
20 both; next the first userid in the user namespace; next the
21 first userid as seen on the host; and finally the number of ids
22 to be mapped.
23
24 More than one map can be specified. If no map is specified, then
25 by default the full uid and gid ranges granted by /etc/subuid
26 and /etc/subgid will be mapped to the uids and gids starting at
27 0 in the container.
28
29 Note that lxc-usernsexec always tries to setuid and setgid to 0
30 in the namespace. Therefore uid 0 in the namespace must be
31 mapped.
32
34 To spawn a shell with the full allotted subuids mapped into the con‐
35 tainer, use
36
37 lxc-usernsexec
38
39
40 To run a different shell than /bin/sh, use
41
42 lxc-usernsexec -- /bin/bash
43
44
45 If your user id is 1000, root in a container is mapped to 190000, and
46 you wish to chown a file you own to root in the container, you can use:
47
48 lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
49
50
51 This maps your userid to root in the user namespace, and 190000 to uid
52 1. Since root in the user namespace is privileged over all userids
53 mapped into the namespace, you are allowed to change the file owner‐
54 ship, which you could not do on the host using a simple chown.
55
57 lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-
58 stop(1), lxc-execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1),
59 lxc-cgroup(1), lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1),
60 lxc-attach(1), lxc.conf(5)
61
63 Serge Hallyn <serge.hallyn@ubuntu.com>
64
65
66
67 2021-01-18 lxc-usernsexec(1)