X-Loop: help-debbugs@HIDDEN
Subject: bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem
Resent-From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Tue, 17 Jan 2023 19:31:01 +0000
Resent-Message-ID: <handler.60890.B.16739838126522 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 60890
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 60890 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix <bug-guix@HIDDEN>
Received: via spool by submit <at> debbugs.gnu.org id=B.16739838126522
(code B ref -1); Tue, 17 Jan 2023 19:31:01 +0000
Received: (at submit) by debbugs.gnu.org; 17 Jan 2023 19:30:12 +0000
Received: from localhost ([127.0.0.1]:38316 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1pHreu-0001h7-Ef
for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:12 -0500
Received: from lists.gnu.org ([209.51.188.17]:59748)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maxim.cournoyer@HIDDEN>) id 1pHreq-0001gx-Ro
for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:11 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
id 1pHreq-0002I3-K7
for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:08 -0500
Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
id 1pHreo-0007tT-HT
for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:07 -0500
Received: by mail-qt1-x832.google.com with SMTP id fd15so18127848qtb.9
for <bug-guix@HIDDEN>; Tue, 17 Jan 2023 11:30:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=;
b=XclS+R1r14kMy62FxWDDnRE5qpZwtoeNqBNK4OT6Bc9tE+ZqQa/NYUfaAyCyv9/MJ+
bAFtUAIe8+Owt9em5hP8QnNjOfJdly47O0RMLAJDVIRSFeeLNja5MdqsRT/qgGrAjmfR
mIxQP+gK3VaXD2PX8tI/XEvxn1KP+/GpPiNG84otNp8f+rdxSnl3fSxpFQlGk4MvKKbL
86jkiQc/t5fTc/fexFfArqpedeeHqZiTJK4X1nOa9NYngQwKxwxw/QopPVPi+hRNTuJY
RzdmfY1FsJVPFJ0MHN4GgSiGDtzgs0n+8EGYdbgl/yFM5lO/mNPsEMBN8Lb6PagtCZuy
2klw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=;
b=kcFSJIbS56NTUMITdBZvpIfhO7NVI3WwG0RrjfxK7y6PCefCMBymxC4j5fYP30QPUl
e+ts0rgkn/STY6m+duZDBsI5IkRr24xemUPqrPpsZvy3z3bnavfvRsMSKjL0suH06xhJ
12oCtzfbX+la9IDmQL4xhlPMsMolVK3pCN1vIUs/5EEACLEmw8imwS+3Uj7Gne+TXEEk
FddgymXyOGveqDE9mkWZxFsglCOppIen28wjTEeSG/PU9kK6PMIa2sIS2x8i2L+JofEw
85rNL5Onla82GilUsfk7hyEx/PsHjtEvJ7XELl3rcNA1fi0n+A7ZS4Lj5MUGa+/XJoGb
jGZw==
X-Gm-Message-State: AFqh2krYP/Hz9Us6DrLOtPdPTqvs2aRoGVekf/Y7uyKiwsrgTjQOs7WG
Tnij2J0W6mIw7fQsyKN98dmLzT7D5joTVuDT
X-Google-Smtp-Source: AMrXdXt8LGxuUaJGQ/WEcJaKKwZXMvP1RXFhh/N5wy+cgvo7ERT6BBLMZUltaZ0EQYAh4KTb9W5Q/A==
X-Received: by 2002:ac8:70cc:0:b0:3b6:3b8d:f24f with SMTP id
g12-20020ac870cc000000b003b63b8df24fmr6029210qtp.56.1673983805304;
Tue, 17 Jan 2023 11:30:05 -0800 (PST)
Received: from hurd (dsl-205-233-125-107.b2b2c.ca. [205.233.125.107])
by smtp.gmail.com with ESMTPSA id
fg13-20020a05622a580d00b003a6a92a202esm16481036qtb.83.2023.01.17.11.30.04
for <bug-guix@HIDDEN>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 17 Jan 2023 11:30:04 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Date: Tue, 17 Jan 2023 14:30:03 -0500
Message-ID: <87zgahyn5w.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::832;
envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qt1-x832.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
Hi,
I'm creating a bug to keep track of a problem that was uncovered when
attempting to migrate the jami-service-type service to use the
least-authority-wrapper [0], to avoid forgetting about it.
It was found that using something like:
--8<---------------cut here---------------start------------->8---
(make-forkexec-constructor
(least-authority
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
#:user "nobody"
#:group "nobody"))
--8<---------------cut here---------------end--------------->8---
Would fail with EPERM, because in order to be able to drop the user
namespace, the CAP_SYS_ADMIN capability is required, but in the above
case, make-forkexec-constructor has already changed the user to
"nobody", which lacks such capability.
The solution proposed by Ludovic in would be to [1]:
> [...] add #:user and #:group to =E2=80=98least-authority-wrapper=E2=80=99=
and
> have it call setuid/setgid. =E2=80=98make-forkexec-constructor=E2=80=99 =
doesn=E2=80=99t need to
> be modified, but the user simply won=E2=80=99t pass #:user and #:group to=
it.
[0] https://issues.guix.gnu.org/54786#16
[1] https://issues.guix.gnu.org/54786#17
--=20
Thanks,
Maxim
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: bug#60890: Acknowledgement (least-authority-wrapper and make-forkexec-constructor composition problem) Message-ID: <handler.60890.B.16739838126522.ack <at> debbugs.gnu.org> References: <87zgahyn5w.fsf@HIDDEN> X-Gnu-PR-Message: ack 60890 X-Gnu-PR-Package: guix Reply-To: 60890 <at> debbugs.gnu.org Date: Tue, 17 Jan 2023 19:31:01 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 60890 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 60890: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D60890 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.