No shell privileged container

M

macNCheeseB

New Member
Oct 21, 2020
4
0
1
46
Hello,

I had a great install of CentOS on a container in Proxmox, with several users set up. I had to then change the container to be privileged as I needed to be able to create and used tun interfaces. Since that time I can no longer SSH into the container (but the webserver GUI I had set up does still work). When I go to use the console to figure out what is going on I can no longer login with the root account and when I use a user with sudo permission I see the following and cannot run any commands with sudo nor cd to the home directory.

Code: 
-- user: /home/user: change directory failed: Permission denied
Logging in with home = "/".
-bash: /home/user/.bash_profile: Permission denied

I get a very basic shell prompt and can't use sudo (see below)

Code: 
-bash-4.2$ sudo ls
sudo: /etc/sudo.conf is owned by uid 100000, should be 0
sudo: /bin/sudo must be owned by uid 0 and have the setuid bit set

Is this normal for a privileged container? Is there anyway to get the normal shell back while maintaining privileged settings to be able to create and use tun interfaces?

For completeness the lines I changed/added in the config to get the tun to work were the following:

Code: 
unprivileged: 0
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
 
A unprivileged container maps all users/groups with UID/GID 0-65365 inside the LXC to users/groups 100000-165365 on the host. With a privileged LXC you don't got this remapping. Thats why everything previously owned by root with UID 0 (inside the LXC) is now owned by the user with the UID 100000. But it was always owned by the user with the UID 100000 from the view of the host. It just isn'T mapped anymore to UID 0 inside the LXC.
So you would need to change the ownership of every file/folder of the LXC from 100000-165365 to 0-65365.
 
Thank you for the prompt reply. Ok, I am looking around for ways to change all that mapping. I guess I need to find where they might be used in files too, like /etc/groups or in the password files. True?
 
macNCheeseB said:
Thank you for the prompt reply. Ok, I am looking around for ways to change all that mapping. I guess I need to find where they might be used in files too, like /etc/groups or in the password files. True?
Click to expand...
In files they still should be 0-65365 and not 100000-165365. You would need to mount that LXCs disk on the host and change akk file/foldern owners. Most likely it is easier just to do a fresh installation on a new LXC.
 
Thanks for the tips. I was able to find all the user:group lists and then used something like the below to change all the IDs"
Code: 
chown --from=100000:0 0:0 -R .
To take care of changing all the files/folders and then the sudo file had to be reset for the setuid bit
Code: 
chmod u+s bin/sudo
Looks like all is up and running now. Thanks for the direction
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back