How can I chown a file to a subuid without sudo

Subuids aren't meant to work the way you expect them to work. They are designed to map UIDs in a user namespace to different UIDs outside that namespace, which comes in handy (and actually was designed) for containers.

However, a process still can have only one UID set (user namespace), and users are not permitted to change ownership of files, for obvious security reasons. It doesn't matter, as far as the process itself is concerned, if the user is actually someone else outside the namespace.

This is why the chown command fails: it doesn't matter if you could have some other UID, should the namespace was different, at that moment, you don't have that UID, and therefore, you can't change the ownership of any files (since you're not root).

As of why can you remove the file: it has actually nothing to do with subuids, instead, it all depends on you having the ownership of the directory the file resides in. Since file deletion changes the directory, and not the file itself, if you can write the directory, you can remove any files from that (except for "sticky" directories).


There is a program lxc-usernsexec that comes along with lxc. This allows you to remap user id's using the maps /etc/subuid and /etc/subgid.

Specifically, you can do the following.

  1. lxc-usernsexec -- touch /tmp/test
  2. ls -l /tmp/test will show that the file is owner:group the same as the first subuid:subgid pair in your map.
  3. rm /tmp/test should give an error since you do not currently have the right uid/gid.
  4. lxc-usernsexec -- rm /tmp/test should remove the file.

Hope this helps! The above probably requires various things setup for unprivileged LXC container use. In particular, I think /proc/sys/kernel/unprivileged_userns_clone should be 1.


Your problem has nothing to do with subuid .

According to https://superuser.com/questions/697608/chown-operation-not-permitted

Non-privileged users (not root) cannot chown files to other user names. To use chown, a user must have the privileges of the target user. In other words, only root can give a file to another user.

Tags:

Linux

User Permissions

Chown

Uid

Related

DMARC and DKIM alignment with multiple DKIM signatures Is there a way to automatically add network interfaces to systemd-networkd and/or netplan? Why does postfix say 'Helo command rejected: Host not found' when dig finds the host? Why a pod can't connect to another network? (In the new version of Kubernetes) No space left on device even after adding a Persistence Storage on gcloud QSFP28 - is there something like a crossover cable? How to clear notifications in the Google Cloud Platform console? Disabling ext4 write barriers when using an external journal RAID vs software defined Block Storage ssh on cygwin (win10): read_passphrase: can't open /dev/tty: Is it normal that one can access MySQL as root without entering password, although password is set? Cluster Fails when Enabling Storage Spaces Direct Server 2016

Recent Posts