grantpt report error after unshare
Since I've had the same issue I have also looked into this. Here are my findings:
grantpt(3)
tries to ensure that the slave pseudo terminal has its group set to the special tty
group (or whatever TTY_GROUP
is when compiling glibc):
static int tty_gid = -1;if (__glibc_unlikely (tty_gid == -1)) { char *grtmpbuf; struct group grbuf; size_t grbuflen = __sysconf (_SC_GETGR_R_SIZE_MAX); struct group *p; /* Get the group ID of the special `tty' group. */ if (grbuflen == (size_t) -1L) /* `sysconf' does not support _SC_GETGR_R_SIZE_MAX. Try a moderate value. */ grbuflen = 1024; grtmpbuf = (char *) __alloca (grbuflen); __getgrnam_r (TTY_GROUP, &grbuf, grtmpbuf, grbuflen, &p); if (p != NULL) tty_gid = p->gr_gid; }gid_t gid = tty_gid == -1 ? __getgid () : tty_gid;/* Make sure the group of the device is that special group. */if (st.st_gid != gid) { if (__chown (buf, uid, gid) < 0) goto helper; }
On my system, the tty
group is 5. However, that group isn't mapped into your user namespace and the chown(2)
fails because the GID 5 doesn't exist. glibc then falls back to executing the pt_chown
helper, which also fails. I haven't looked into the details of why it fails, but I assume it's because it's setuid nobody unless you mapped the root user to your user namespace. Here's strace output that shows the failing operation:
[pid 30] chown("/dev/pts/36", 1000, 5) = -1 EINVAL (Invalid argument)
The gives you a couple of methods to work around this problem:
- Map the required groups (i.e.
tty
), which may not be possible withoutCAP_SYS_ADMIN
in the binary that opens the user namespace - Use subuids and subgids together with
newuidmap(1)
andnewgidmap(1)
to make these groups available (this might work, but I haven't tested it). - Make changes that avoid the failure of the
chown(2)
call, e.g. by using a mount namespace and changing the GID of thetty
group in/etc/groups
to your user's GID. - Avoid the
chown(2)
call, e.g. by making thest.st_gid != gid
check false; this should be possible by deleting thetty
group from your target mount namespace's/etc/groups
. Of course, that may cause other problems.