GNU bug report logs - #60890
least-authority-wrapper and make-forkexec-constructor composition problem

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>; dated Tue, 17 Jan 2023 19:31:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 17 Jan 2023 19:30:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 17 14:30:12 2023
Received: from localhost ([127.0.0.1]:38316 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pHreu-0001h7-Ef
	for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:12 -0500
Received: from lists.gnu.org ([209.51.188.17]:59748)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pHreq-0001gx-Ro
 for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:11 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1pHreq-0002I3-K7
 for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:08 -0500
Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1pHreo-0007tT-HT
 for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:07 -0500
Received: by mail-qt1-x832.google.com with SMTP id fd15so18127848qtb.9
 for <bug-guix@HIDDEN>; Tue, 17 Jan 2023 11:30:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=;
 b=XclS+R1r14kMy62FxWDDnRE5qpZwtoeNqBNK4OT6Bc9tE+ZqQa/NYUfaAyCyv9/MJ+
 bAFtUAIe8+Owt9em5hP8QnNjOfJdly47O0RMLAJDVIRSFeeLNja5MdqsRT/qgGrAjmfR
 mIxQP+gK3VaXD2PX8tI/XEvxn1KP+/GpPiNG84otNp8f+rdxSnl3fSxpFQlGk4MvKKbL
 86jkiQc/t5fTc/fexFfArqpedeeHqZiTJK4X1nOa9NYngQwKxwxw/QopPVPi+hRNTuJY
 RzdmfY1FsJVPFJ0MHN4GgSiGDtzgs0n+8EGYdbgl/yFM5lO/mNPsEMBN8Lb6PagtCZuy
 2klw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=;
 b=kcFSJIbS56NTUMITdBZvpIfhO7NVI3WwG0RrjfxK7y6PCefCMBymxC4j5fYP30QPUl
 e+ts0rgkn/STY6m+duZDBsI5IkRr24xemUPqrPpsZvy3z3bnavfvRsMSKjL0suH06xhJ
 12oCtzfbX+la9IDmQL4xhlPMsMolVK3pCN1vIUs/5EEACLEmw8imwS+3Uj7Gne+TXEEk
 FddgymXyOGveqDE9mkWZxFsglCOppIen28wjTEeSG/PU9kK6PMIa2sIS2x8i2L+JofEw
 85rNL5Onla82GilUsfk7hyEx/PsHjtEvJ7XELl3rcNA1fi0n+A7ZS4Lj5MUGa+/XJoGb
 jGZw==
X-Gm-Message-State: AFqh2krYP/Hz9Us6DrLOtPdPTqvs2aRoGVekf/Y7uyKiwsrgTjQOs7WG
 Tnij2J0W6mIw7fQsyKN98dmLzT7D5joTVuDT
X-Google-Smtp-Source: AMrXdXt8LGxuUaJGQ/WEcJaKKwZXMvP1RXFhh/N5wy+cgvo7ERT6BBLMZUltaZ0EQYAh4KTb9W5Q/A==
X-Received: by 2002:ac8:70cc:0:b0:3b6:3b8d:f24f with SMTP id
 g12-20020ac870cc000000b003b63b8df24fmr6029210qtp.56.1673983805304; 
 Tue, 17 Jan 2023 11:30:05 -0800 (PST)
Received: from hurd (dsl-205-233-125-107.b2b2c.ca. [205.233.125.107])
 by smtp.gmail.com with ESMTPSA id
 fg13-20020a05622a580d00b003a6a92a202esm16481036qtb.83.2023.01.17.11.30.04
 for <bug-guix@HIDDEN>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 17 Jan 2023 11:30:04 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: bug-guix <bug-guix@HIDDEN>
Subject: least-authority-wrapper and make-forkexec-constructor composition
 problem
Date: Tue, 17 Jan 2023 14:30:03 -0500
Message-ID: <87zgahyn5w.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::832;
 envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qt1-x832.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi,

I'm creating a bug to keep track of a problem that was uncovered when
attempting to migrate the jami-service-type service to use the
least-authority-wrapper [0], to avoid forgetting about it.

It was found that using something like:

--8<---------------cut here---------------start------------->8---
(make-forkexec-constructor
  (least-authority
    (list (file-append coreutils "/bin/true"))
    (mappings (delq 'user %namespaces))
  #:user  "nobody"
  #:group "nobody"))
--8<---------------cut here---------------end--------------->8---

Would fail with EPERM, because in order to be able to drop the user
namespace, the CAP_SYS_ADMIN capability is required, but in the above
case, make-forkexec-constructor has already changed the user to
"nobody", which lacks such capability.

The solution proposed by Ludovic in would be to [1]:

> [...] add #:user and #:group to =E2=80=98least-authority-wrapper=E2=80=99=
 and
> have it call setuid/setgid.  =E2=80=98make-forkexec-constructor=E2=80=99 =
doesn=E2=80=99t need to
> be modified, but the user simply won=E2=80=99t pass #:user and #:group to=
 it.

[0]  https://issues.guix.gnu.org/54786#16
[1]  https://issues.guix.gnu.org/54786#17

--=20
Thanks,
Maxim




Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#60890; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 17 Jan 2023 19:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.