The uid map to use in the user namespace. Each map
consists of four colon-separate values. First a character
'u', 'g' or 'b' to specify whether this map pertains to
user ids, group ids, or both; next the first userid in the
user namespace; next the first userid as seen on the host;
and finally the number of ids to be mapped.
More than one map can be specified. If no map is
specified, then by default the full uid and gid ranges
granted by /etc/subuid and /etc/subgid will be mapped to
the uids and gids starting at 0 in the container.
Note that lxc-usernsexec always tries to setuid and setgid
to 0 in the namespace. Therefore uid 0 in the namespace
must be mapped.
To spawn a shell with the full allotted subuids mapped into the
To run a different shell than /bin/sh, use
lxc-usernsexec -- /bin/bash
If your user id is 1000, root in a container is mapped to 190000,
and you wish to chown a file you own to root in the container,
you can use:
lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
This maps your userid to root in the user namespace, and 190000
to uid 1. Since root in the user namespace is privileged over
all userids mapped into the namespace, you are allowed to change
the file ownership, which you could not do on the host using a
This page is part of the lxc (Linux containers) project.
Information about the project can be found at
⟨http://linuxcontainers.org/⟩. If you have a bug report for this
manual page, send it to email@example.com.
This page was obtained from the project's upstream Git repository
⟨git://github.com/lxc/lxc⟩ on 2021-04-01. (At that time, the
date of the most recent commit that was found in the repository
was 2021-04-01.) If you discover any rendering problems in this
HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not
part of the original manual page), send a mail to