Public bug reported:
Description:
Unprivileged user namespace creation fails with a "Permission denied" error on
Ubuntu 24.10 (development release, Oracular Oriole) running the
6.11.0-19-generic kernel. This occurs despite the
kernel.unprivileged_userns_clone sysctl being set to 1, which should allow
unprivileged user namespace creation.
Steps to Reproduce:
Boot into Ubuntu 24.10 with kernel 6.11.0-19-generic.
As a regular (non-root) user, run the command: unshare --user --map-
root-user whoami
Observe the error: unshare: cannot open /proc/self/uid_map:
Permission denied
Run the same command with sudo: sudo unshare --user --map-root-user
whoami
Observe that it works successfully, outputting root.
Run the command: unshare -Ur whoami
Observe the error: unshare: cannot open /proc/self/uid_map:
Permission denied
Run the same command with sudo: sudo unshare -Ur whoami
Observe that it works successfully, outputting root.
Expected Result:
The unshare command should succeed without requiring sudo when
kernel.unprivileged_userns_clone=1.
System Information:
Distribution: Ubuntu 24.10 (Oracular Oriole)
Kernel: Linux thecrisys-HP-ENVY-Notebook 6.11.0-19-generic
#19-Ubuntu SMP PREEMPT_DYNAMIC Wed Feb 12 21:43:43 UTC 2025 x86_64
x86_64 x86_64 GNU/Linux
Release:
PRETTY_NAME="Ubuntu 24.10"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_CODENAME=oracular
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/";
SUPPORT_URL="https://help.ubuntu.com/";
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/";
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy";
UBUNTU_CODENAME=oracular
LOGO=ubuntu-logo
kernel.unprivileged_userns_clone: 1
Subordinate IDs: thecrisys:100000:65536 for uid and gid
capsh --print:
Current: =
Bounding set
=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(thecrisys) euid=1000(thecrisys)
gid=1000(thecrisys)
groups=4(adm),20(dialout),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),118(lpadmin),1000(thecrisys)
Guessed mode: HYBRID (4)
Troubleshooting steps
We tried to use unshare inside a new folder created with the command
mkdir ~/userns_test.
We checked that AppArmor is not blocking with ausearch
We check the kernel command line with cat /proc/cmdline
We did a sysctl variables check.
We check for systemd configurations.
We check the capabilities with capsh --print.
We could not check with an older Kernel.
Additional Notes:
This issue was discovered after upgrading from Ubuntu 23.04 to
24.10. The upgrade involved modifying repository configurations.
The ausearch command initially was not found, but the issue
persisted after installing the auditd package.
Attempts to boot into an older kernel (6.5) failed with the message
"you should load the kernel first," I think I don't have an old kernel
to test.
The snap command is installed.
The command snap confinement snapd did not work.
ProblemType: Bug
DistroRelease: Ubuntu 24.10
Package: linux-image-6.11.0-19-generic 6.11.0-19.19
ProcVersionSignature: Ubuntu 6.11.0-19.19-generic 6.11.11
Uname: Linux 6.11.0-19-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.30.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Mar 6 23:03:38 2025
InstallationDate: Installed on 2023-08-30 (555 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418)
IwConfig: Error: [Errno 2] No existe el archivo o el directorio: 'iwconfig'
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 054c:0ce6 Sony Corp. DualSense wireless controller (PS5)
Bus 001 Device 003: ID 05c8:0379 Cheng Uei Precision Industry Co., Ltd
(Foxlink) HP Truevision HD
Bus 001 Device 004: ID 8087:0a2a Intel Corp. Bluetooth wireless interface
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
MachineType: HP HP ENVY Notebook
ProcEnviron:
LANG=es_ES.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.11.0-19-generic
root=UUID=5e0a4276-c051-43e0-ace8-0dc0afc3b7bb ro quiet splash
crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M
RelatedPackageVersions:
linux-restricted-modules-6.11.0-19-generic N/A
linux-backports-modules-6.11.0-19-generic N/A
linux-firmware 20240913.gita34e7a5f-0ubuntu2.4
SourcePackage: linux
UpgradeStatus: Upgraded to oracular on 2025-03-06 (1 days ago)
dmi.bios.date: 10/26/2015
dmi.bios.release: 15.35
dmi.bios.vendor: Insyde
dmi.bios.version: F.23
dmi.board.asset.tag: Type2 - Board Asset Tag
dmi.board.name: 80E5
dmi.board.vendor: HP
dmi.board.version: 87.47
dmi.chassis.asset.tag: Chassis Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: HP
dmi.chassis.version: Chassis Version
dmi.ec.firmware.release: 87.47
dmi.modalias:
dmi:bvnInsyde:bvrF.23:bd10/26/2015:br15.35:efr87.47:svnHP:pnHPENVYNotebook:pvrType1ProductConfigId:rvnHP:rn80E5:rvr87.47:cvnHP:ct10:cvrChassisVersion:skuK8P16LA#ABM:
dmi.product.family: 103C_5335KV G=N L=CON B=HP S=ENV
dmi.product.name: HP ENVY Notebook
dmi.product.sku: K8P16LA#ABM
dmi.product.version: Type1ProductConfigId
dmi.sys.vendor: HP
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug oracular wayland-session
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2101122
Title:
Unprivileged user namespace creation fails on Ubuntu 24.10 (6.11
kernel)
Status in linux package in Ubuntu:
New
Bug description:
Description:
Unprivileged user namespace creation fails with a "Permission denied" error
on Ubuntu 24.10 (development release, Oracular Oriole) running the
6.11.0-19-generic kernel. This occurs despite the
kernel.unprivileged_userns_clone sysctl being set to 1, which should allow
unprivileged user namespace creation.
Steps to Reproduce:
Boot into Ubuntu 24.10 with kernel 6.11.0-19-generic.
As a regular (non-root) user, run the command: unshare --user
--map-root-user whoami
Observe the error: unshare: cannot open /proc/self/uid_map:
Permission denied
Run the same command with sudo: sudo unshare --user --map-root-
user whoami
Observe that it works successfully, outputting root.
Run the command: unshare -Ur whoami
Observe the error: unshare: cannot open /proc/self/uid_map:
Permission denied
Run the same command with sudo: sudo unshare -Ur whoami
Observe that it works successfully, outputting root.
Expected Result:
The unshare command should succeed without requiring sudo when
kernel.unprivileged_userns_clone=1.
System Information:
Distribution: Ubuntu 24.10 (Oracular Oriole)
Kernel: Linux thecrisys-HP-ENVY-Notebook 6.11.0-19-generic
#19-Ubuntu SMP PREEMPT_DYNAMIC Wed Feb 12 21:43:43 UTC 2025 x86_64
x86_64 x86_64 GNU/Linux
Release:
PRETTY_NAME="Ubuntu 24.10"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_CODENAME=oracular
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/";
SUPPORT_URL="https://help.ubuntu.com/";
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/";
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy";
UBUNTU_CODENAME=oracular
LOGO=ubuntu-logo
kernel.unprivileged_userns_clone: 1
Subordinate IDs: thecrisys:100000:65536 for uid and gid
capsh --print:
Current: =
Bounding set
=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(thecrisys) euid=1000(thecrisys)
gid=1000(thecrisys)
groups=4(adm),20(dialout),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),118(lpadmin),1000(thecrisys)
Guessed mode: HYBRID (4)
Troubleshooting steps
We tried to use unshare inside a new folder created with the
command mkdir ~/userns_test.
We checked that AppArmor is not blocking with ausearch
We check the kernel command line with cat /proc/cmdline
We did a sysctl variables check.
We check for systemd configurations.
We check the capabilities with capsh --print.
We could not check with an older Kernel.
Additional Notes:
This issue was discovered after upgrading from Ubuntu 23.04 to
24.10. The upgrade involved modifying repository configurations.
The ausearch command initially was not found, but the issue
persisted after installing the auditd package.
Attempts to boot into an older kernel (6.5) failed with the
message "you should load the kernel first," I think I don't have an
old kernel to test.
The snap command is installed.
The command snap confinement snapd did not work.
ProblemType: Bug
DistroRelease: Ubuntu 24.10
Package: linux-image-6.11.0-19-generic 6.11.0-19.19
ProcVersionSignature: Ubuntu 6.11.0-19.19-generic 6.11.11
Uname: Linux 6.11.0-19-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.30.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Mar 6 23:03:38 2025
InstallationDate: Installed on 2023-08-30 (555 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418)
IwConfig: Error: [Errno 2] No existe el archivo o el directorio: 'iwconfig'
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 054c:0ce6 Sony Corp. DualSense wireless controller
(PS5)
Bus 001 Device 003: ID 05c8:0379 Cheng Uei Precision Industry Co., Ltd
(Foxlink) HP Truevision HD
Bus 001 Device 004: ID 8087:0a2a Intel Corp. Bluetooth wireless interface
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
MachineType: HP HP ENVY Notebook
ProcEnviron:
LANG=es_ES.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.11.0-19-generic
root=UUID=5e0a4276-c051-43e0-ace8-0dc0afc3b7bb ro quiet splash
crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M
RelatedPackageVersions:
linux-restricted-modules-6.11.0-19-generic N/A
linux-backports-modules-6.11.0-19-generic N/A
linux-firmware 20240913.gita34e7a5f-0ubuntu2.4
SourcePackage: linux
UpgradeStatus: Upgraded to oracular on 2025-03-06 (1 days ago)
dmi.bios.date: 10/26/2015
dmi.bios.release: 15.35
dmi.bios.vendor: Insyde
dmi.bios.version: F.23
dmi.board.asset.tag: Type2 - Board Asset Tag
dmi.board.name: 80E5
dmi.board.vendor: HP
dmi.board.version: 87.47
dmi.chassis.asset.tag: Chassis Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: HP
dmi.chassis.version: Chassis Version
dmi.ec.firmware.release: 87.47
dmi.modalias:
dmi:bvnInsyde:bvrF.23:bd10/26/2015:br15.35:efr87.47:svnHP:pnHPENVYNotebook:pvrType1ProductConfigId:rvnHP:rn80E5:rvr87.47:cvnHP:ct10:cvrChassisVersion:skuK8P16LA#ABM:
dmi.product.family: 103C_5335KV G=N L=CON B=HP S=ENV
dmi.product.name: HP ENVY Notebook
dmi.product.sku: K8P16LA#ABM
dmi.product.version: Type1ProductConfigId
dmi.sys.vendor: HP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2101122/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
