Can not add new user in docker container with mounted /etc/passwd and /etc/shadow

Active3 hr before
Viewed126 times

6 Answers


You could work around this by mounting a directory containing my_shadow and my_passwd somewhere else, and then symlinking /etc/passwd and /etc/shadow in the container appropriately:,It's failing because passwd manipulates a temporary file, and then attempts to rename it to /etc/shadow. This fails because /etc/shadow is a mountpoint -- which cannot be replaced -- which results in this error (captured using strace):, Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers , 3 I've tried this and the symlink is simply removed and replaced by a copy of the shadow file in its place (in the container) so you won't get an update on the host. So if this ever worked, for debian/ubuntu its now definitely useless. – Blizz Aug 2 '18 at 15:24

It's failing because passwd manipulates a temporary file, and then attempts to rename it to /etc/shadow. This fails because /etc/shadow is a mountpoint -- which cannot be replaced -- which results in this error (captured using strace):

102 rename("/etc/nshadow", "/etc/shadow") = -1 EBUSY(Device or resource busy)
load more v

In fact the problem is related to the mounting of files, see:,You cannot use -v with a relative path name as there is nothing to be relative to since this is done by the daemon. This is creating a named volume, which would go into /var/lib/docker/volumes/my_passwd, and would be a dir. I'm surprised the container even started since you it would be trying to mount a dir onto a file.,Yes, I will close this issue now. Issue is not related to docker, but to how passwd command works.,The similar problem arises when using passwd:

docker run - ti - v my_passwd: /etc/passwd - v my_shadow: /etc/shadow--rm centos[root @681a5489f3b0 / ] # useradd test # does not work! ?
   useradd : failure
while writing changes to / etc / passwd[root @681a5489f3b0 / ] # ll / etc / passwd / etc / shadow # permission check -
   rw - r--r--1 root root 157 Oct 8 10: 17 / etc / passwd -
   rw - r-- -- - 1 root root 100 Oct 7 18: 02 / etc / shadow
load more v

Verify that the entry has been added to /etc/subuid and /etc/subgid:,Warning: Some distributions, such as RHEL and CentOS 7.3, do not automatically add the new group to the /etc/subuid and /etc/subgid files. You are responsible for editing these files and assigning non-overlapping ranges, in this case. This step is covered in Prerequisites.,After adding your user, check /etc/subuid and /etc/subgid to see if your user has an entry in each. If not, you need to add it, being careful to avoid overlap.,The way the namespace remapping is handled on the host is using two files, /etc/subuid and /etc/subgid. These files are typically managed automatically when you add or remove users or groups, but on a few distributions such as RHEL and CentOS 7.3, you may need to manage these files manually.

The remapping itself is handled by two files: /etc/subuid and /etc/subgid. Each file works the same, but one is concerned with the user ID range, and the other with the group ID range. Consider the following entry in /etc/subuid:

testuser: 231072: 65536
$ id testuser

uid = 1001(testuser) gid = 1001(testuser) groups = 1001(testuser)

Each file contains three fields: the username or ID of the user, followed by a beginning UID or GID (which is treated as UID or GID 0 within the namespace) and a maximum number of UIDs or GIDs available to the user. For instance, given the following entry:

testuser: 231072: 65536
$ dockerd--userns - remap = "testuser:testuser"
   "userns-remap": "testuser"
$ id dockremap

uid = 112(dockremap) gid = 116(dockremap) groups = 116(dockremap)
$ grep dockremap / etc / subuid

dockremap: 231072: 65536

$ grep dockremap / etc / subgid

dockremap: 231072: 65536
$ docker run hello - world
$ sudo ls - ld /
   var / lib / docker / 231072.231072 /

   drwx-- -- --11 231072 231072 11 Jun 21 21: 19 /
   var / lib / docker / 231072.231072 /

   $ sudo ls - l /
   var / lib / docker / 231072.231072 /

   total 14
drwx-- -- --5 231072 231072 5 Jun 21 21: 19 aufs
drwx-- -- --3 231072 231072 3 Jun 21 21: 21 containers
drwx-- -- --3 root root 3 Jun 21 21: 19 image
drwxr - x-- - 3 root root 3 Jun 21 21: 19 network
drwx-- -- --4 root root 4 Jun 21 21: 19 plugins
drwx-- -- --2 root root 2 Jun 21 21: 19 swarm
drwx-- -- --2 231072 231072 2 Jun 21 21: 21 tmp
drwx-- -- --2 root root 2 Jun 21 21: 19 trust
drwx-- -- --2 231072 231072 3 Jun 21 21: 19 volumes
load more v

The following command will show you the contents of the secure shadow password file from the host system:,You may be wondering what sort of damage a user can do if they can run Docker. As a simple example, the following command (don’t run it!) would delete all the binaries in /sbin on your host machine (if you took out the bogus --donotrunme flag): ,As Docker makes clear in its documentation, access to the Docker API implies access to root privileges, which is why Docker must often be run with sudo, or the user must be added to a user group (which might be called “docker”, or “dockerroot”) that allows access to the Docker API. ,It’s worth pointing out that this is true even if you’re a non-root user.

docker run--donotrunme - v / sbin: /sbin busybox rm -rf /sbin
load more v

This is a critical flaw and it is supposed to allow easy privilege escalation. I can add a user into /etc/passwd.,But I cannot switch to this user, because su does not have SUID permission:,Of course, if the application running in the container makes use of /etc/passwd then modifying it could have an impact, but that'll be situational depending on what the container does.,So how can I use the credentials added to /etc/passwd? Curl is available if that can help.

We are producing a Docker image (based on CentOS) which is designed to be executed by a non-root user. However, this user has write access to /etc/passwd because he is in "root" group. Here are /etc/passwd permissions:

-rw - rw - r--1 root root 692 Dec 16 14: 35 / etc / passwd
load more v

This is because the /etc/passwd and the /etc/group files are included in the container, and they do not know about the users or groups in the system. As we want to resemble the system in the container, we can share a readonly copy of /etc/passwd and /etc/group by modifying the /bin/dosh script:,The problem now is that the name of the user (and the groups) are not properly resolved inside the container.,Using this script we start the user containers on demand and their processes are kept between log-ins. Moreover, the log-in will fail in case that the container fails to start.,This happens because the user inside the container is “root” that has UID=0, and it is root because the Docker daemon is root with UID=0.

This could be achieved in a very easy way. You just need to create a script like the next one

root @onefront00: ~# cat > /bin/dosh << \EOF
docker run--rm - it alpine ash
root @onefront00: ~# chmod + x / bin / dosh
root @onefront00: ~# echo "/bin/dosh" >> /etc/shells
load more v

Other "docker-container" queries related to "Can not add new user in docker container with mounted /etc/passwd and /etc/shadow"