grantpt report error after unshare

Since I've had the same issue I have also looked into this. Here are my findings:

grantpt(3) tries to ensure that the slave pseudo terminal has its group set to the special tty group (or whatever TTY_GROUP is when compiling glibc):

static int tty_gid = -1;if (__glibc_unlikely (tty_gid == -1))  {    char *grtmpbuf;    struct group grbuf;    size_t grbuflen = __sysconf (_SC_GETGR_R_SIZE_MAX);    struct group *p;    /* Get the group ID of the special `tty' group.  */    if (grbuflen == (size_t) -1L)      /* `sysconf' does not support _SC_GETGR_R_SIZE_MAX.         Try a moderate value.  */      grbuflen = 1024;    grtmpbuf = (char *) __alloca (grbuflen);    __getgrnam_r (TTY_GROUP, &grbuf, grtmpbuf, grbuflen, &p);    if (p != NULL)      tty_gid = p->gr_gid;  }gid_t gid = tty_gid == -1 ? __getgid () : tty_gid;/* Make sure the group of the device is that special group.  */if (st.st_gid != gid)  {    if (__chown (buf, uid, gid) < 0)      goto helper;  }

See https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/grantpt.c;h=c04c85d450f9296efa506121bcee022afda3e2dd;hb=HEAD#l137.

On my system, the tty group is 5. However, that group isn't mapped into your user namespace and the chown(2) fails because the GID 5 doesn't exist. glibc then falls back to executing the pt_chown helper, which also fails. I haven't looked into the details of why it fails, but I assume it's because it's setuid nobody unless you mapped the root user to your user namespace. Here's strace output that shows the failing operation:

[pid    30] chown("/dev/pts/36", 1000, 5) = -1 EINVAL (Invalid argument)

The gives you a couple of methods to work around this problem:

• Map the required groups (i.e. tty), which may not be possible without CAP_SYS_ADMIN in the binary that opens the user namespace
• Use subuids and subgids together with newuidmap(1) and newgidmap(1) to make these groups available (this might work, but I haven't tested it).
• Make changes that avoid the failure of the chown(2) call, e.g. by using a mount namespace and changing the GID of the tty group in /etc/groups to your user's GID.
• Avoid the chown(2) call, e.g. by making the st.st_gid != gid check false; this should be possible by deleting the tty group from your target mount namespace's /etc/groups. Of course, that may cause other problems.