GNU bug report logs - #77862
guix-daemon run as non-root sets up /etc/group incorrectly in build container

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 3 Jun 2025 13:05:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 03 09:05:57 2025
Received: from localhost ([127.0.0.1]:33288 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uMRL0-000879-2B
	for submit <at> debbugs.gnu.org; Tue, 03 Jun 2025 09:05:56 -0400
Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]:56080)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <reepca@HIDDEN>)
 id 1uMRKq-000855-OG
 for 77862 <at> debbugs.gnu.org; Tue, 03 Jun 2025 09:05:50 -0400
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
 d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=FzDctlFE64VVVqI/PuHtMa3A7aLpM/0tqnL89/Mn/IE=; b=hhRN/vk5J0ywVs6lutXtvrzusN
 Y66a74z8FCSqE2yzAY4ObtOeUMlK99lPlNQsNDy84jvX8WH/AwOxHUW2kvCg==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=FzDctlFE64VVVqI/PuHtMa3A7aLpM/0tqnL89/Mn/IE=; b=DBnw1T+SnL1RIMMajaAiBThVSa
 MXo7djHr/kvmT5BrDVTgyubKr22csVg1j38itY/2aOxnrKjZWCJRMgDUbhpthYblWCOKWdzox+iHw
 VwhTUKbky2dWI6aWle14rj48isjv8l0VT8KIv2OZ4pCgcDFapBQ/hFr+E/FRVlx/eLXiAv8Esbuxc
 j7WXhgBDfo04mZVtPN3mMB0cotFOQiC21fN7Q8bjkd80G3fJotLtACAvf0p+riic/UCyVo8WMAGLb
 0tFZZolmVa7/FB4H0ADaWQ5QjOq0ypkgk+PmLh8MYwQuV2Df3EkMU/U4Qw/oWkpeCS4/YJr8c1qTW
 1huGD3j1A8u1Gx2PWbYSgmCmpeHrnXrh99l1FZxS1ZhMZbadG+3u/7pu81Da5WTqYO9v5u5T/CX6X
 i808Bh7DTO+ORw1i3spuZK1zTNTezb2PQZWXM0B1B5K1Iv8qCLCSmF6mxLxmtjzZlz0XXyHfuJCgo
 165SLD7OrSFiYddDK6mSQHV8C5TxOf1ggemL81+mdzXUcfKrQD70CoYru++2dTqIF2Zxp2Vcoj2yF
 2VIB4OS855SCen9GLgBElgBzhDGY7WxMgAOcbVIgT9H3t7W8yAf6XOlNEbSiEe/AagAgi1Dj/lrig
 s3IBhfplPH6V5hTgvDwSQtPMHKrsGEJcORL64iv5k=;
Received: by russelstein.xyz with esmtpsa
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.98) (envelope-from <reepca@HIDDEN>)
 id 1uMRKi-0000000056m-1gfu; Tue, 03 Jun 2025 08:05:36 -0500
From: Reepca Russelstein <reepca@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87ecw1onun.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Mon, 02 Jun 2025 23:06:08 +0200")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN>
 <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN>
 <875xhw84w7.fsf@HIDDEN> <87ecw1onun.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Tue, 03 Jun 2025 08:05:21 -0500
Message-ID: <87a56pq8ku.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.5
X-Spam-Bar: /
X-Spam-Score-Int: 5
X-Spam-Report: Spam detection software, running on the system "Sanctum",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > >
   Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès
   <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that,
    by calling out to ‘newuidmap†[...] 
 
 Content analysis details:   (0.5 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 NO_RELAYS              Informational: message was not relayed via SMTP
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > >
   Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès
   <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that,
    by calling out to ‘newuidmap†[...] 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: russelstein.xyz (xyz)]
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
X-Debbugs-Envelope-To: 77862
Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > >
   Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès
   <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that,
    by calling out to ‘newuidmap†[...] 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: russelstein.xyz (xyz)]
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
  1.0 BULK_RE_SUSP_NTLD      Precedence bulk and RE: from a suspicious TLD
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Hey Reepca,
>
> Reepca Russelstein <reepca@HIDDEN> writes:
>
>> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
> [...]
>
>>> The attached patch tries to do that, by calling out to =E2=80=98newuidm=
ap=E2=80=99, and
>>> under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=
=E2=80=99 group.
>>>
>>> It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), b=
ut I couldn=E2=80=99t get
>>> the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (th=
e call that is
>>> made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=
=9D there.
>>>
>>> The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=
=98newgidmap=E2=80=99 setuid
>>> binary is not longer accessible because we=E2=80=99re already in a chro=
ot, so it
>>> seems that we cannot preserve the GID map.
>>
>> ... and even if we had the setuid binary accessible (for example via a
>> saved file descriptor that could be used with execveat, or a
>> bind-mount), it wouldn't be of any use at this point because (man
>> user_namespaces):
>>
>> "if either the user or the group ID of the file has no mapping inside
>> the namespace, the set-user-ID (set-group- ID) bit is silently ignored:
>> the new program is executed, but the process's effective user (group) ID
>> is left unchanged."
>>
>> Naturally, uid 0 isn't going to be mapped!  In fact, more generally,
>> newuidmap and newgidmap can't ever be used from within an uninitialized
>> user namespace, since by definition uid 0 isn't yet mapped in it.
>>
>> So it falls to the parent process to do the initialization - that is, it
>> now has to do the initialization twice.  Of course, it's going to need
>> some way of knowing when the second user namespace has been created, and
>> the child is going to need some way of knowing when it's been
>> initialized, so we'll need to either use two pipes or switch to using a
>> socketpair.
>
> That makes sense, thanks for explaining!
>
> However, I think part of the rules still don=E2=80=99t fit in my head.  H=
ere=E2=80=99s
> what I have now (parent is 6929):
>
> 6929  openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 06=
66) =3D 17
> 6929  write(17, "30001 1000 1", 12)     =3D 12
> 6929  close(17)                         =3D 0
> 6929  openat(AT_FDCWD, "/proc/6938/setgroups", O_WRONLY|O_CREAT|O_TRUNC, =
0666) =3D 17
> 6929  write(17, "deny", 4)              =3D 4
> 6929  close(17)                         =3D 0
> 6929  openat(AT_FDCWD, "/proc/6938/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 06=
66) =3D 17
> 6929  write(17, "30000 998 1", 11)      =3D 11
> 6929  close(17)                         =3D 0
> [=E2=80=A6]
> 6938  unshare(CLONE_NEWNS|CLONE_NEWUSER) =3D 0
> 6938  write(20, "reinit\n", 7)          =3D 7
> 6929  <... read resumed>"reinit\n", 20) =3D 7
> 6938  read(17,  <unfinished ...>
> 6929  write(4, "gmlo\0\0\0\0+\0\0\0\0\0\0\0|   reinitializing UID/GID map=
ping of 6938\n\0\0\0\0\0", 64) =3D 64
> 6929  getgid()                          =3D 998
> 6929  getuid()                          =3D 1000
> 6929  openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 06=
66) =3D 17
> 6929  write(17, "30001 1000 1", 12)     =3D -1 EPERM (Operation not permi=
tted)
>
> Why oh why would we get EPERM the second time?
>
> These restrictions appear to be respected:
>
>    =E2=80=A2  The data written to uid_map (gid_map) must consist of a sin=
=E2=80=90
>       gle  line  that maps the writing process's effective user ID
>       (group ID) in the parent user namespace to a user ID  (group
>       ID) in the user namespace.
>
>    =E2=80=A2  The  writing process must have the same effective user ID as
>       the process that created the user namespace.
>
> Or is the user namespace of the parent (6929) not the same as =E2=80=9Cthe
> parent user namespace=E2=80=9D?

I'm afraid that is indeed what we're running in to: "the parent user
namespace" is the one created by clone.  And because the parent user
namespace is not the root user namespace, we couldn't run newgidmap from
within it, even if we still had a process around that was in it.

However, at this point, we actually don't need to use newgidmap, because
we have CAP_SETGID in the current user namespace... but in order to use
the "no restrictions" version of writing to gid_map, it's necessary for
the writing process to have CAP_SETGID in the *parent* user namespace
(in hindsight, this is what the actual problem was with the original
patch - it specified "true" for haveCapSetGID, so it shouldn't have been
using newgidmap anyway).  This necessarily requires that the writing
process is not in the user namespace being initialized, and because it
must either be in the namespace being initialized or its parent user
namespace, that means it must be in the parent user namespace.  Of
course, at this point, no processes exist in the parent user namespace.

So if you'll bear with the extreme awkwardness, we could fork a helper
process immediately prior to calling unshare, which, upon receiving a
notification, will initialize the parent process's user namespace.  Note
that the naming here is going to be inverted for process ancestry and
user namespace ancestry: the child process is in the parent user
namespace, and the parent process is in the child user namespace.

> Thanks for your patience.  :-)
>
> Ludo=E2=80=99.
>
> PS: The more I use it, the less I can stand this user namespace soup
>     presented as an =E2=80=9CAPI=E2=80=9D.

It certainly has a lot of clauses.  I will say, I did some reading of
the GNU Mach manual and was awed by how much simpler things could be if
every system call dealing with processes just took an explicit task port
argument like it does there.  The requirement that so many things
associated with processes can only be manipulated indirectly, and
usually only by the process itself, has caused no end of troubles, and
as the number of process-associated attributes in Linux continues to
grow, the interactions will likely only get more complicated.

It's not the kind of job security that gives any satisfaction.

=2D reepca

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmg+8xEXHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJwHqwf/Yk5zU/R/UFw9y5s6M9rM/bMK
/yyu9yestaRkjJKPb2cpro+hdNUZgSa1qwLiLiri5rk06/zW2NyTephfwRInafD2
99m5PYU3dBN53K+3dPs8TlaYZkqPNXOqdFJHBvDA+nlkq4IqdVCb0QKN7pdEzuxk
h14IEHMdJEdePbyBtYhyb17++Kd+Guy8sQBQbEBJNmFFVKv1s3D3Ic3lN+wSSxoq
ZgQOlhRVQ6M5OcYKN5c9QAUzgoB0mzs63ILfmnbbtxmvFoYV0xO50hbDb2sQbIrp
aQ87ZKtipsydSssO4bOE0F7abAQ4LuMfPZHPPJfbRhMqdC/wbUYjuHHVtQzUkw==
=vZqx
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 2 Jun 2025 21:06:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 02 17:06:39 2025
Received: from localhost ([127.0.0.1]:55964 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uMCMh-0004WE-9h
	for submit <at> debbugs.gnu.org; Mon, 02 Jun 2025 17:06:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53810)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uMCMd-0004Vl-TK
 for 77862 <at> debbugs.gnu.org; Mon, 02 Jun 2025 17:06:36 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1uMCMV-0003rZ-FN; Mon, 02 Jun 2025 17:06:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=nAJ1n4NYUdoI4BzW6w1QmH4jbm3xAdoku6l83/5vO9A=; b=HugAADAgUBK7caax/G2F
 Uf4oYZs0bd4jFW80Xh0RvvxLfR2vwJB7myJHXFAJOwuFV+YMFo1i8iStUg3sS0DAbbKZh2se2lSuR
 F7apWAT4+AJ/R7Iu913cslG4Ap7p6hTozxQ4qYY15dALy78YcKzFJSmdlhAfFnyCj8iA4xG8Q6pC6
 jXSP2VXSM05FaAUxqMSKgtjehkqKayFGsLeVK5mXpQVDMGWdqaEec5pmBLcCdwzo5jf+crI3xMyL2
 IjQbY7uTJhJ+ip3PwvKBTCglIBGyyqfFCTV+6xCPe50CfQbmrLyaWNDW4G5sypUfn6v7IbKZsg6II
 ed3CE0WY6lTTig==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Reepca Russelstein <reepca@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <875xhw84w7.fsf@HIDDEN> (Reepca Russelstein's message of
 "Mon, 19 May 2025 20:09:12 -0500")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN>
 <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN>
 <875xhw84w7.fsf@HIDDEN>
User-Agent: mu4e 1.12.11; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Quartidi 14 Prairial an 233 de la =?utf-8?Q?R=C3=A9v?=
 =?utf-8?Q?olution=2C?= jour de l'Acacia
Date: Mon, 02 Jun 2025 23:06:08 +0200
Message-ID: <87ecw1onun.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.3 (/)
X-Debbugs-Envelope-To: 77862
Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

Hey Reepca,

Reepca Russelstein <reepca@HIDDEN> writes:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

[...]

>> The attached patch tries to do that, by calling out to =E2=80=98newuidma=
p=E2=80=99, and
>> under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2=
=80=99 group.
>>
>> It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), bu=
t I couldn=E2=80=99t get
>> the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the=
 call that is
>> made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=
=9D there.
>>
>> The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=
=98newgidmap=E2=80=99 setuid
>> binary is not longer accessible because we=E2=80=99re already in a chroo=
t, so it
>> seems that we cannot preserve the GID map.
>
> ... and even if we had the setuid binary accessible (for example via a
> saved file descriptor that could be used with execveat, or a
> bind-mount), it wouldn't be of any use at this point because (man
> user_namespaces):
>
> "if either the user or the group ID of the file has no mapping inside
> the namespace, the set-user-ID (set-group- ID) bit is silently ignored:
> the new program is executed, but the process's effective user (group) ID
> is left unchanged."
>
> Naturally, uid 0 isn't going to be mapped!  In fact, more generally,
> newuidmap and newgidmap can't ever be used from within an uninitialized
> user namespace, since by definition uid 0 isn't yet mapped in it.
>
> So it falls to the parent process to do the initialization - that is, it
> now has to do the initialization twice.  Of course, it's going to need
> some way of knowing when the second user namespace has been created, and
> the child is going to need some way of knowing when it's been
> initialized, so we'll need to either use two pipes or switch to using a
> socketpair.

That makes sense, thanks for explaining!

However, I think part of the rules still don=E2=80=99t fit in my head.  Her=
e=E2=80=99s
what I have now (parent is 6929):

--8<---------------cut here---------------start------------->8---
6929  openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666=
) =3D 17
6929  write(17, "30001 1000 1", 12)     =3D 12
6929  close(17)                         =3D 0
6929  openat(AT_FDCWD, "/proc/6938/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 06=
66) =3D 17
6929  write(17, "deny", 4)              =3D 4
6929  close(17)                         =3D 0
6929  openat(AT_FDCWD, "/proc/6938/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666=
) =3D 17
6929  write(17, "30000 998 1", 11)      =3D 11
6929  close(17)                         =3D 0
[=E2=80=A6]
6938  unshare(CLONE_NEWNS|CLONE_NEWUSER) =3D 0
6938  write(20, "reinit\n", 7)          =3D 7
6929  <... read resumed>"reinit\n", 20) =3D 7
6938  read(17,  <unfinished ...>
6929  write(4, "gmlo\0\0\0\0+\0\0\0\0\0\0\0|   reinitializing UID/GID mappi=
ng of 6938\n\0\0\0\0\0", 64) =3D 64
6929  getgid()                          =3D 998
6929  getuid()                          =3D 1000
6929  openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666=
) =3D 17
6929  write(17, "30001 1000 1", 12)     =3D -1 EPERM (Operation not permitt=
ed)
--8<---------------cut here---------------end--------------->8---

Why oh why would we get EPERM the second time?

These restrictions appear to be respected:

   =E2=80=A2  The data written to uid_map (gid_map) must consist of a sin=
=E2=80=90
      gle  line  that maps the writing process's effective user ID
      (group ID) in the parent user namespace to a user ID  (group
      ID) in the user namespace.

   =E2=80=A2  The  writing process must have the same effective user ID as
      the process that created the user namespace.

Or is the user namespace of the parent (6929) not the same as =E2=80=9Cthe
parent user namespace=E2=80=9D?

Thanks for your patience.  :-)

Ludo=E2=80=99.

PS: The more I use it, the less I can stand this user namespace soup
    presented as an =E2=80=9CAPI=E2=80=9D.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 20 May 2025 01:09:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 19 21:09:57 2025
Received: from localhost ([127.0.0.1]:48986 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uHBUS-0006kx-GK
	for submit <at> debbugs.gnu.org; Mon, 19 May 2025 21:09:57 -0400
Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]:47128)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <reepca@HIDDEN>)
 id 1uHBUO-0006kI-RG
 for 77862 <at> debbugs.gnu.org; Mon, 19 May 2025 21:09:54 -0400
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
 d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=yYolFOf0Ab7xvB1p7ms7Eabn3RteJLUdQ/ciRP7aiwE=; b=PcDXgblW4Y915grt/3aFj9ZmbC
 BUH+XcnuCi7dgAvTp6gDLzfWjcFniM2W5YOcOn+iuWz3GiFIMuZI7Ota0YBw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=yYolFOf0Ab7xvB1p7ms7Eabn3RteJLUdQ/ciRP7aiwE=; b=pFeIa117+7P8MiW9VmAijOAqeP
 /ucxDyaMuppmx2CMiwKge1+HWY62sTa9SHtKpgMyezlvD2GaazzU10eeTNni86kiaBj8aa6qk5Vdu
 SOokUF++zFmVX6pYWvoMCUOBQfC+kceDd5wlqzww6o9pIz9iIkHEgHF+4b7VUF3pZWLSbxPHnEsBP
 JD2R0sTCTkXGDBsw/6r5Aa3aoxQtdZxwK8V818jGI4h2TWPZ2XFZJ18UNqTfl2PPAFbuwiqPQFK5l
 cjL52sNb3oVb837si3lW/eLQlzgWb/KlDNVMYdXWDBp0si0Y3l0ql9D/7zrmhsvoTfr17h6vcHBTP
 7nLx30m3fJ2UGNodCpBtL+qaA4x+WK/Bfx2HROhKUhdLUZzxEz1TlvWSO/SF4FeCJoJexUJVfXzVp
 HHXZWhm367SNbAWVbv95g6NuFPe64dFs4gmHkO+TdssrDf13mRsSCXmd0CMcf8eUZUAGvZ+5U3P+f
 cV9P4DIQhahGdtfRWaFQYDHiUls0ZlSOBIEkcwUAn19x7n02+W4KvboW+LDNXsmPCqRBwqDx8OYhJ
 logeeDRPbHAFcRlw1U/4y2QWtxg3AMSy+kjdZ65U30ISbKwc35WwVNZ81nD9d7g8Lyyesog1sCNBL
 JsfpdLCKyWqJzYXA1QbPVoeD0i/jY3KibBcOFHt/s=;
Received: by russelstein.xyz with esmtpsa
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.98) (envelope-from <reepca@HIDDEN>)
 id 1uHBUG-0000000044W-2ny3; Mon, 19 May 2025 20:09:46 -0500
From: Reepca Russelstein <reepca@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87jz6c67sf.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Mon, 19 May 2025 15:37:20 +0200")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN>
 <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN>
Date: Mon, 19 May 2025 20:09:12 -0500
Message-ID: <875xhw84w7.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.5
X-Spam-Bar: /
X-Spam-Score-Int: 5
X-Spam-Report: Spam detection software, running on the system "Sanctum",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc:
   Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the
    "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite
    for go (bootstrap) failing [...] 
 
 Content analysis details:   (0.5 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 NO_RELAYS              Informational: message was not relayed via SMTP
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc:
   Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the
    "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite
    for go (bootstrap) failing [...] 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: russelstein.xyz (xyz)]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
X-Debbugs-Envelope-To: 77862
Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc:
   Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the
    "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite
    for go (bootstrap) failing [...] 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
                             [URI: russelstein.xyz (xyz)]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  1.0 BULK_RE_SUSP_NTLD      Precedence bulk and RE: from a suspicious TLD
  0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Hello,
>
> (Cc: Reepca.)
>
> keinflue <keinflue@HIDDEN> writes:
>
>> It seems that the "chown to overflowgid" issue is somewhat
>> widespread. I also see the testsuite for go (bootstrap) failing in the
>> same way. I'd guess most implementations of "chown" system call
>> wrappers in various languages will have test cases like this that fail
>> to anticipate user namespaces. I will let my system build keep running
>> a bit longer and will then post the list of packages I found with log
>> excerpts here.
>
> I think it would be best to support chown-to-supplementary-group even
> with the unprivileged daemon (specifically for the case where
> guix-daemon runs as a dedicated user, and that this user has one
> supplementary group, kvm).
>
> The attached patch tries to do that, by calling out to =E2=80=98newuidmap=
=E2=80=99, and
> under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2=
=80=99 group.
>
> It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), but=
 I couldn=E2=80=99t get
> the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the =
call that is
> made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=9D=
 there.
>
> The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=98=
newgidmap=E2=80=99 setuid
> binary is not longer accessible because we=E2=80=99re already in a chroot=
, so it
> seems that we cannot preserve the GID map.

... and even if we had the setuid binary accessible (for example via a
saved file descriptor that could be used with execveat, or a
bind-mount), it wouldn't be of any use at this point because (man
user_namespaces):

"if either the user or the group ID of the file has no mapping inside
the namespace, the set-user-ID (set-group- ID) bit is silently ignored:
the new program is executed, but the process's effective user (group) ID
is left unchanged."

Naturally, uid 0 isn't going to be mapped!  In fact, more generally,
newuidmap and newgidmap can't ever be used from within an uninitialized
user namespace, since by definition uid 0 isn't yet mapped in it.

So it falls to the parent process to do the initialization - that is, it
now has to do the initialization twice.  Of course, it's going to need
some way of knowing when the second user namespace has been created, and
the child is going to need some way of knowing when it's been
initialized, so we'll need to either use two pipes or switch to using a
socketpair.

Of some concern also is the ominous statement in "man newgidmap" that
"Note that newgidmap may be used only once for a given process."  I have
no idea how or why it would enforce this, and I'm going to assume for
now that what is actually meant is that "a given user namespace's gid
mapping cannot be written more than once", which is just a restatement
of what "man user_namespaces" says.



It's too bad that the user namespaces implementation doesn't allow
unprivileged users to map their own supplementary groups.  I can't think
of any reason not to - a user can already switch their effective gid to
any supplementary gid they have by creating and executing a setgid
program for that gid.  Are there any operations that require both a
capability /and/ a (mapped) egid check to pass?

It wouldn't surprise me if the ultimate reason is that the kernel devs
wanted to reuse code for uid_map and gid_map, and that it's easier to
verify one line than try to verify an arbitrary set of gids, including
ones in potentially-large ranges.  It's just an unfortunate consequence
that this means that all unprivileged user namespaces have to carry
gibberish supplementary groups around that they can "use" but not
comprehend.

But as long as /etc/subgid is configured to allow each user to map all
of the groups they are a member of, it can at least be worked around.

=2D reepca

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmgr1jgXHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJyF3gf+K8s3yXefYAsIMYSsvCR3S3m4
kex71eAnQZzjmoqutb8Z3joJpAqvEyD7qc0UDBkisUpwgfSnQWU1RG8kKhyDghEy
EHr3r9KsoORfn9rcqoBnHjKy2oYDDFK0Oigio+MS+86XU+hRhukZiw+CIfJ1FkaZ
0emMWnnlCJzDABJibQ8Jvh/Lu6PxZPgfU6IvBFwwIeB5BzZHswEGdRGjeMXbWj/v
h3Z64nkgGXbHEw7kOyGQAUPpgBRYVE3Y9KeyJ6BHZ78/NM886dCdL7vP0KhZJORQ
N7UeoEKcOQFbycG08D/x/VVYQp+K5PbM/uU8kK0yVIEl+Yya5JQCS99mLd0CWw==
=HPkl
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 19 May 2025 13:54:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 19 09:54:54 2025
Received: from localhost ([127.0.0.1]:39978 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uH0xB-0000XT-N7
	for submit <at> debbugs.gnu.org; Mon, 19 May 2025 09:54:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55884)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uH0x9-0000Wk-1J
 for 77862 <at> debbugs.gnu.org; Mon, 19 May 2025 09:54:51 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1uH0x0-00011S-55; Mon, 19 May 2025 09:54:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=0Qy1Lzc/YtsCwFZtJCHP7+rknasBTuJkYVpsW7J/jUY=; b=Ap3yG8QvYPGglEd2MUtu
 MmKs7G1pjCBcdr+rSMKAKGeEebMsv8IxUIrN9wil2TyS0wa/LRZcrTAknIC+hLx07+Hst/Rn3oHjn
 AdeQwn8ksf/aCV/cVIQ2p3xth1HY1dANtMZk5Yr+e9WFpPdyzcDX96DK4hmeEems4xoofil5LvgVp
 ujTdPq8pisSOj4dJvoKnLukjH+hykseo2XNsG5DO0W1iMz2bv+J6Lg6eFWdfQCXBnvAfnPzrRvEQB
 k9TZhF6KwroaDjaRPJNRu0aEiyDRBPD2xONNuk4J334kjN5x9eXzYJ+cdxxKl0KWdKLeF6oMhQkBZ
 E5IYArAShD8FFg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <e153f8b1b38b01c93bc29d11091091a3@HIDDEN>
 (keinflue@HIDDEN's message of "Sat, 03 May 2025 19:05:34 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN>
 <e153f8b1b38b01c93bc29d11091091a3@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: =?utf-8?Q?D=C3=A9cadi?= 30 =?utf-8?Q?Flor=C3=A9al?= an
 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la
 Houlette
Date: Mon, 19 May 2025 15:37:20 +0200
Message-ID: <87jz6c67sf.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org, Reepca Russelstein <reepca@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

(Cc: Reepca.)

keinflue <keinflue@HIDDEN> writes:

> It seems that the "chown to overflowgid" issue is somewhat
> widespread. I also see the testsuite for go (bootstrap) failing in the
> same way. I'd guess most implementations of "chown" system call
> wrappers in various languages will have test cases like this that fail
> to anticipate user namespaces. I will let my system build keep running
> a bit longer and will then post the list of packages I found with log
> excerpts here.

I think it would be best to support chown-to-supplementary-group even
with the unprivileged daemon (specifically for the case where
guix-daemon runs as a dedicated user, and that this user has one
supplementary group, kvm).

The attached patch tries to do that, by calling out to =E2=80=98newuidmap=
=E2=80=99, and
under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2=80=
=99 group.

It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), but I=
 couldn=E2=80=99t get
the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the ca=
ll that is
made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=9D t=
here.

The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=98ne=
wgidmap=E2=80=99 setuid
binary is not longer accessible because we=E2=80=99re already in a chroot, =
so it
seems that we cannot preserve the GID map.

Thoughts?

Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index a1f39d9a8b..83754b06bd 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -13,6 +13,7 @@
 #include <map>
 #include <sstream>
 #include <algorithm>
+#include <iostream>
 
 #include <limits.h>
 #include <time.h>
@@ -23,6 +24,7 @@
 #include <sys/utsname.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <grp.h>
 #include <errno.h>
 #include <stdio.h>
 #include <cstring>
@@ -1635,15 +1637,77 @@ static const gid_t guestGID = 30000;
 /* Initialize the user namespace of CHILD.  */
 static void initializeUserNamespace(pid_t child,
 				    uid_t hostUID = getuid(),
-				    gid_t hostGID = getgid())
+				    gid_t hostGID = getgid(),
+				    const std::vector<std::pair<gid_t, gid_t>> extraGIDs = {},
+				    bool haveCapSetGID = false)
 {
     writeFile("/proc/" + std::to_string(child) + "/uid_map",
 	      (format("%d %d 1") % guestUID % hostUID).str());
 
-    writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny");
+    if (!haveCapSetGID && !extraGIDs.empty()) {
+	try {
+	    Strings args = {
+		std::to_string(child),
+		std::to_string(guestGID), std::to_string(hostGID), "1"
+	    };
+	    for (auto &pair: extraGIDs) {
+		args.push_back(std::to_string(pair.second));
+		args.push_back(std::to_string(pair.first));
+		args.push_back("1");
+	    }
+	    runProgram("newgidmap", true, args);
+	    printMsg(lvlChatty,
+		     format("mapped %1% extra GIDs into namespace of PID %2%")
+		     % extraGIDs.size() % child);
+	    return;
+	} catch (const ExecError &e) {
+	    ignoreException();
+	}
+	std::cerr << "here i am\n";
+    }
 
-    writeFile("/proc/" + std::to_string(child) + "/gid_map",
-	      (format("%d %d 1") % guestGID % hostGID).str());
+    if (!haveCapSetGID)
+	writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny");
+
+    auto content = (format("%d %d 1\n") % guestGID % hostGID).str();
+    if (haveCapSetGID) {
+	for (auto &mapping: extraGIDs) {
+	    content += (format("%d %d 1\n") % mapping.second % mapping.first).str();
+	}
+    }
+    writeFile("/proc/" + std::to_string(child) + "/gid_map", content);
+}
+
+/* Return the ID of the "kvm" group or -1 if it does not exist or is not part
+   of the current users supplementary groups.  */
+static gid_t kvmGID()
+{
+    struct group *kvm = getgrnam("kvm");
+    if (kvm == NULL) return -1;
+
+    size_t max = 64;
+    gid_t groups[max];
+    int count = getgroups(max, groups);
+    if (count < 0) return -1;
+
+    for (int i = 0; i < count; i++) {
+	if (groups[i] == kvm->gr_gid) return kvm->gr_gid;
+    }
+
+    return -1;
+}
+
+static gid_t guestKVMGID = 40000;
+
+static std::vector<std::pair<gid_t, gid_t>> kvmGIDMapping()
+{
+    gid_t kvm = kvmGID();
+    if (kvm == -1)
+	return {};
+    else {
+	std::pair<gid_t, gid_t> mapping(kvm, guestKVMGID);
+	return { mapping };
+    }
 }
 
 void DerivationGoal::startBuilder()
@@ -2016,8 +2080,9 @@ void DerivationGoal::startBuilder()
 	readiness.readSide.close();
 	if ((flags & CLONE_NEWUSER) != 0) {
 	     /* Initialize the UID/GID mapping of the child process.  */
-	     initializeUserNamespace(pid);
-	     writeFull(readiness.writeSide, (unsigned char*)"go\n", 3);
+	    auto extraGIDs = kvmGIDMapping();
+	    initializeUserNamespace(pid, getuid(), getgid(), extraGIDs);
+	    writeFull(readiness.writeSide, (unsigned char*)"go\n", 3);
 	}
 	readiness.writeSide.close();
     } else
@@ -2269,10 +2334,12 @@ void DerivationGoal::runChild()
 		auto uid = getuid();
 		auto gid = getgid();
 
+#if 0						  // FIXME!
 		if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1)
 		    throw SysError(format("creating new user and mount namespaces"));
 
-		initializeUserNamespace(getpid(), uid, gid);
+		auto extraGIDs = { std::pair<gid_t, gid_t>(guestKVMGID, guestKVMGID) };
+		initializeUserNamespace(getpid(), uid, gid, extraGIDs, true);
 
 		/* Check that mounts within the build environment are "locked"
 		   together and cannot be separated from within the build
@@ -2282,6 +2349,7 @@ void DerivationGoal::runChild()
 		   check that this is what we get.  */
 		int ret = umount(tmpDirInSandbox.c_str());
 		assert(ret == -1 && errno == EINVAL);
+#endif
 	    }
         }
 #endif
diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
index 56f116046c..b2c9b9f639 100644
--- a/nix/libutil/util.cc
+++ b/nix/libutil/util.cc
@@ -1081,9 +1081,11 @@ string runProgram(Path program, bool searchPath, const Strings & args)
 
     /* Wait for the child to finish. */
     int status = pid.wait(true);
-    if (!statusOk(status))
+    std::cerr << "status not ok: " << status << "\n";
+    if (!statusOk(status)) {
         throw ExecError(format("program `%1%' %2%")
             % program % statusToString(status));
+    }
 
     return result;
 }

--=-=-=--

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 3 May 2025 19:05:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 15:05:45 2025
Received: from localhost ([127.0.0.1]:43461 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uBIBE-0000Rh-Kq
	for submit <at> debbugs.gnu.org; Sat, 03 May 2025 15:05:44 -0400
Received: from mout02.posteo.de ([185.67.36.66]:43373)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1uBIBB-0000RO-8R
 for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 15:05:43 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id E637B240101
 for <77862 <at> debbugs.gnu.org>; Sat,  3 May 2025 21:05:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1746299134; bh=p7yeCK0yfA1doR62cxlFoU+T1QbJewJsZRggI6q8guY=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=mHoA4ODw8qfOFsY1VnWEJTgDq3X9IVvlpaS39hvzyhyciPkxbPQmWH7LOHfE0+srg
 mAgfYchNg2v2stBjmHko9B88xBne+vklk1mxDi/6pvt+e4N5dZVqAGOcH/xIoLsK/O
 HC0wylHUBHoHmbvXf2A0ieSTnlu5WYHtPw8oFDB2PvJID3cznIThRP28cWk2sM4qO3
 11m4ob0e3Tx1VOnIL8dMc0cbyh2fSpr1vJhacVdnWi0GZm7H1mlc/WV7OrX9BNBLwu
 FeC6q/FpFRkb9PoISNEyCSo2LudtS0pMM4BEWjC0gxyOL7um374mWLuAMBPc9utWjR
 9+KArSIPDY5Dg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zqcgf2hRKz6twK;
 Sat,  3 May 2025 21:05:34 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 03 May 2025 19:05:34 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87r0158ye6.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN>
Message-ID: <e153f8b1b38b01c93bc29d11091091a3@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

On 03.05.2025 18:14, Ludovic Court=C3=A8s wrote:
> Hi,
>=20
> keinflue <keinflue@HIDDEN> writes:
>=20
>> Unfortunately the python package also fails with equivalent test
>> failures. It also has another failure mode where it expects a syscall
>> to change ownership to the overflow uid to result in EPERM, while it
>> will produce EINVAL (which happens even if there are no supplementary
>> groups). Should I post the details here or open a new issue?
>=20
> I think you can post it here.  Perhaps we should eventually keep all=20
> the
> issues in this category together in a text file somewhere, with log
> excerpts: that would allow us to better assess the packages affected by
> this difference between the privileged and the unprivileged daemon is.

It seems that the "chown to overflowgid" issue is somewhat widespread. I=20
also see the testsuite for go (bootstrap) failing in the same way. I'd=20
guess most implementations of "chown" system call wrappers in various=20
languages will have test cases like this that fail to anticipate user=20
namespaces. I will let my system build keep running a bit longer and=20
will then post the list of packages I found with log excerpts here.

>=20
> I wonder if we should set up a separate Cuirass instance or something
> building everything with the unprivileged daemon.

That would probably help since I am going to only test the packages that=20
I am using myself in order to evaluate switching to the unprivileged=20
guix-daemon. I don't have the resources to do more.

> Thanks,
> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 3 May 2025 16:32:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 12:32:37 2025
Received: from localhost ([127.0.0.1]:42808 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uBFn3-0000hO-9J
	for submit <at> debbugs.gnu.org; Sat, 03 May 2025 12:32:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50518)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uBFmx-0000g5-Jk
 for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 12:32:32 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1uBFms-0007Lr-3q; Sat, 03 May 2025 12:32:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=nKaKoJcVdJmtccnSIqL/+WEONgLxgL7fWoiyBOLBm08=; b=LwcY2c2qFNF5t4Mp462r
 QTx/Ibe1xU1S/ee/zgJOGUaRiAeSex+z0O5dlpytAOnNLTYl/dq8Ytza1CBeAdWLXiIGl8NKoqmLX
 f/+iFQlQrT8zqGaLaGg/ErUbIewpMwPFTiUoRw5ZoOIfdzk+A8Ac1i6LUqrxqtlf2+2LULNpJYzdS
 +luv0oanpUomplM6+CYr/Z+5vLFpm8AW34sDOrAqt8f9oD5bLEgWc12e5B14INEKJMQoJONj5Jmfh
 k49d3HD+pDkmkVIs2HOFZuW61ZNwq2ID85NgwMlcqfr5tgaG4ysa1HUIrbStZmK4bQfaNcBBg2zds
 9+vUsepxtGJivg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN>
 (keinflue@HIDDEN's message of "Sat, 03 May 2025 11:00:28 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
 <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Quartidi 14 =?utf-8?Q?Flor=C3=A9al?= an 233 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour du
 =?utf-8?Q?Cham=C3=A9risier?=
Date: Sat, 03 May 2025 18:14:25 +0200
Message-ID: <87r0158ye6.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

keinflue <keinflue@HIDDEN> writes:

> Unfortunately the python package also fails with equivalent test
> failures. It also has another failure mode where it expects a syscall
> to change ownership to the overflow uid to result in EPERM, while it
> will produce EINVAL (which happens even if there are no supplementary
> groups). Should I post the details here or open a new issue?

I think you can post it here.  Perhaps we should eventually keep all the
issues in this category together in a text file somewhere, with log
excerpts: that would allow us to better assess the packages affected by
this difference between the privileged and the unprivileged daemon is.

>> I will see whether I can report the issue(s) upstream to coreutils and
>> gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a
>> similar fix was applied to handle special gids on MacOS. Unfortunately
>> the default Linux overflow gid is not included in that list. In any
>> case, the patch needs to be adjusted for newer coreutils versions.
>
> coreutils already responded and fixed the issue
> (https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78225).

That was fast!

> I still have to report to gnulib, but wanted to try building the
> standalone gnulib package first, which caused me to trip over the
> python issues.

Alright.

Thanks a lot for this very important work.

I wonder if we should set up a separate Cuirass instance or something
building everything with the unprivileged daemon.

Thanks,
Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 3 May 2025 11:00:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 07:00:39 2025
Received: from localhost ([127.0.0.1]:38656 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uBAbn-0004Oy-3D
	for submit <at> debbugs.gnu.org; Sat, 03 May 2025 07:00:39 -0400
Received: from mout01.posteo.de ([185.67.36.65]:39115)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1uBAbj-0004Oj-8o
 for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 07:00:37 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id F29C9240028
 for <77862 <at> debbugs.gnu.org>; Sat,  3 May 2025 13:00:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1746270028; bh=JX5IVi7T1NanZc9Hta0mApbUzBFhaMqV6EmbRdeo4Lk=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=EKOoz/w6xbvXp2wXRBv+AW+1fpg/Naf/pFl4/y8eno/KuCJ3G14RPkrmUmD8vRqc9
 BODqLVIdtiUQVzClwjmQ8YOgFccgEAg7LjA1QCN6YmHkv5Srjx6c06RD/i+8RkSynp
 hej4UnbF2ljs29XnWk997kaV+KsQ//Z9mM5tAQ+rUkFN3lu52i8IUy/IxK064q3r1k
 OebrDoAb0v1J1VCM8IeA4FQc3Vc+Tl+UyEH9UZvMgAND0laP1S49FMWvieazXi7VRM
 e2isiRotDPiLaOKpQh4HHXWzt6kvVsDHff+ZrELVejFU03qCYSf39XMHBcm3/twcm/
 UmQP7n6GZQ0pQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4ZqPvw3SqDz9rxN;
 Sat,  3 May 2025 13:00:28 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 03 May 2025 11:00:28 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
Message-ID: <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

  > It seems that now the system build proceeds much further (still=20
running).

Unfortunately the python package also fails with equivalent test=20
failures. It also has another failure mode where it expects a syscall to=20
change ownership to the overflow uid to result in EPERM, while it will=20
produce EINVAL (which happens even if there are no supplementary=20
groups). Should I post the details here or open a new issue?

> I will see whether I can report the issue(s) upstream to coreutils and
> gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a
> similar fix was applied to handle special gids on MacOS. Unfortunately
> the default Linux overflow gid is not included in that list. In any
> case, the patch needs to be adjusted for newer coreutils versions.

coreutils already responded and fixed the issue=20
(https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78225).

I still have to report to gnulib, but wanted to try building the=20
standalone gnulib package first, which caused me to trip over the python=20
issues.

>>=20
>> Thanks,
>> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 3 May 2025 02:16:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 02 22:16:53 2025
Received: from localhost ([127.0.0.1]:35762 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uB2Qu-0002Q1-Sh
	for submit <at> debbugs.gnu.org; Fri, 02 May 2025 22:16:53 -0400
Received: from mout02.posteo.de ([185.67.36.66]:55569)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1uB2Qp-0002Pk-I5
 for 77862 <at> debbugs.gnu.org; Fri, 02 May 2025 22:16:51 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 52DBF240101
 for <77862 <at> debbugs.gnu.org>; Sat,  3 May 2025 04:16:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1746238601; bh=mKHZSbhYxXa6lKi1mc6GQdm6OUzhqVmmZhOMYXdmao4=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 From;
 b=WDu8yzsWj7lbUkVMQBAHFVhPLazIGqmUK2evf00TwqWnmzi2nLfPoC/D381MC2EYv
 4SD97sQWcFrzz9kg2CdmDxUcMsnXPKXW4k57prnj8nBfGQmxlrJvbGgu6XFuaKYs68
 kU9p4Zbna66qG9AnWBeuib/pah8l9wfaMe8wKRQd+8R+PEssPIHMPb1iEQIL3Ppj/f
 q7oFGD3m0LGWGCffdWv7AIK4dkUocfzexSaW89P9UIqdz/e85FasjkQ58GPgbWWCP0
 USYYAphy+YcOvdUqYSBhgS7Gz1MLx2qp0gFbSn6eqFPlvmoXPyCZyRgVWPsTOw0vkZ
 TzZGye+pTFqMw==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4ZqBHX60bkz9rxD;
 Sat,  3 May 2025 04:16:40 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 03 May 2025 02:16:40 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <875xijc99o.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 <875xijc99o.fsf@HIDDEN>
Message-ID: <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN>
Content-Type: multipart/mixed;
 boundary="=_8e49de0197f63d5dcb44c76abf538139"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=_8e49de0197f63d5dcb44c76abf538139
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8;
 format=flowed

Hi,

On 02.05.2025 17:38, Ludovic Court=C3=A8s wrote:
> Hello,
>=20
> keinflue <keinflue@HIDDEN> writes:
>=20
>> I also had another look and I missed that effectively CAP_SETGID is
>> required in the _parent_ namespace in order to use setgroups (because
>> otherwise writing "deny" to /proc/[pid]/setgroups is essentially
>> forced).
>>=20
>> But the same seems to also be required to map more than the own
>> effective uid/gid of the process into the namespace.
>=20
> Right, user_namespaces(7) makes it clear:
>=20
>  =E2=80=A2  The data written to uid_map (gid_map) must consist of a sin=
=E2=80=90
>     gle  line  that maps the writing process's effective user ID
>     (group ID) in the parent user namespace to a user ID  (group
>     ID) in the user namespace.
>=20
>> So I guess neither solution of dropping or mapping supplementary
>> groups will work completely unprivileged and the only solution is to
>> modify or disable the coreutils test case.
>=20
> Yes, I came to this conclusion as well.
>=20
> I believe the attached Coreutils patch should fix that (yet to be
> tested).  Would be worth reporting upstream as well because in a way
> it=E2=80=99s a failure of the test framework.

I tried to test the patch:

I had trouble with the normal origin patches mechanism. The first=20
failing coreutils package is coreutils-final from commencement.scm and I=20
didn't manage to properly replace that package without a dependency on=20
the unpatched package remaining. Instead I wrote an equivalent=20
substitute* in a post-unpack phase.

The test cases mentioned earlier now succeeded, but another testsuite=20
for gnulib (also as part of coreutils) failed afterwards. The failure=20
cause is the same, except this time written in C sources. I also fixed=20
that via substitute* clauses. See attached patch. This unfortunately=20
causes rebuilds of the coreutils-mesboot (and coreutils-boot0) packages=20
as well, although those do not perform the tests.

It seems that now the system build proceeds much further (still=20
running).

I will see whether I can report the issue(s) upstream to coreutils and=20
gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a=20
similar fix was applied to handle special gids on MacOS. Unfortunately=20
the default Linux overflow gid is not included in that list. In any=20
case, the patch needs to be adjusted for newer coreutils versions.

>=20
> Thanks,
> Ludo=E2=80=99.
--=_8e49de0197f63d5dcb44c76abf538139
Content-Transfer-Encoding: base64
Content-Type: text/x-patch;
 name=coreutils.diff
Content-Disposition: attachment;
 filename=coreutils.diff;
 size=838

ZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy9iYXNlLnNjbSBiL2dudS9wYWNrYWdlcy9iYXNlLnNj
bQppbmRleCA0Yzk2ZmZhMWE0Li41YjAxNGRiZjAxIDEwMDY0NAotLS0gYS9nbnUvcGFja2FnZXMv
YmFzZS5zY20KKysrIGIvZ251L3BhY2thZ2VzL2Jhc2Uuc2NtCkBAIC01MzIsNiArNTMyLDExIEBA
IChkZWZpbmUtcHVibGljIGNvcmV1dGlscwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAiIHRlc3QtdXRpbWVuc2F0IikpKQogICAgICAgICAgICAgJygpKQogICAgICAgIzpwaGFz
ZXMgKG1vZGlmeS1waGFzZXMgJXN0YW5kYXJkLXBoYXNlcworCQkgKGFkZC1hZnRlciAndW5wYWNr
ICdwYXRjaAorICAgICAgICAgICAgICAgICAgIChsYW1iZGEgXworICAgICAgICAgICAgICAgICAg
ICAgKHN1YnN0aXR1dGUqICJnbnVsaWItdGVzdHMvdGVzdC1jaG93bi5oIiAoKCJnaWRzX2NvdW50
ID0uKiIpICJnaWRzX2NvdW50ID0gMTtcbiIpKQorICAgICAgICAgICAgICAgICAgICAgKHN1YnN0
aXR1dGUqICJnbnVsaWItdGVzdHMvdGVzdC1sY2hvd24uaCIgKCgiZ2lkc19jb3VudCA9LioiKSAi
Z2lkc19jb3VudCA9IDE7XG4iKSkKKyAgICAgICAgICAgICAgICAgICAgIChzdWJzdGl0dXRlKiAi
aW5pdC5jZmciICgoImdyb3Vwcz0uKiIpICJncm91cHM9XG4iKSkpKQogICAgICAgICAgICAgICAg
ICAoYWRkLWJlZm9yZSAnYnVpbGQgJ3BhdGNoLXNoZWxsLXJlZmVyZW5jZXMKICAgICAgICAgICAg
ICAgICAgICAobGFtYmRhIF8KICAgICAgICAgICAgICAgICAgICAgIDs7ICdzcGxpdCcgdXNlcyBl
aXRoZXIgJFNIRUxMIG9yIC9iaW4vc2guICBTZXQgJFNIRUxMIHNvCg==
--=_8e49de0197f63d5dcb44c76abf538139--

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 2 May 2025 20:13:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 02 16:13:48 2025
Received: from localhost ([127.0.0.1]:33678 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uAwlX-0008UQ-Jx
	for submit <at> debbugs.gnu.org; Fri, 02 May 2025 16:13:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52644)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uAwlU-0008Tp-61
 for 77862 <at> debbugs.gnu.org; Fri, 02 May 2025 16:13:45 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1uAwlO-0007m5-5x; Fri, 02 May 2025 16:13:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=CtgWaSLZ9dlAtR3GeQkkd/jTvhjHjkjOlZeEDNSMEv4=; b=ZAUHia7GVOrCU2E0b3GU
 artif5ayidzODja1UDv5NqvQjHHiofGh3sGa2IUcy7GhsVt3NQfmAzTIM2F0hqYqpFtARQyotAynG
 pb6DxDbbH4gcbqWU2C6TTUCQuYLLRe3KNH8erii6UdVSVCrgRw5f3aQnkYIODtSGhsM/zUPn4YtQr
 c/AFHBkvPOrDYnHJZpfEEMVOYSHbvKxNAQ2mCtps4j41dSdtOFC9FQ+K8QfD6y4CfwQ24KhAi4aL0
 mUDP7Vax+GZzq8022CuJ5zHebD3MKle9r88/+tzq0/Uj7GVe+Org/SycmF+mqTQ+q+TMozMqK+G5+
 iKitvYJezVbLnw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
 (keinflue@HIDDEN's message of "Sat, 26 Apr 2025 11:08:57 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Tridi 13 =?utf-8?Q?Flor=C3=A9al?= an 233 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour du
 =?utf-8?Q?B=C3=A2ton-d'or?=
Date: Fri, 02 May 2025 17:38:59 +0200
Message-ID: <875xijc99o.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -1.2 (-)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.2 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

keinflue <keinflue@HIDDEN> writes:

> I also had another look and I missed that effectively CAP_SETGID is
> required in the _parent_ namespace in order to use setgroups (because
> otherwise writing "deny" to /proc/[pid]/setgroups is essentially
> forced).
>
> But the same seems to also be required to map more than the own
> effective uid/gid of the process into the namespace.

Right, user_namespaces(7) makes it clear:

 =E2=80=A2  The data written to uid_map (gid_map) must consist of a sin=E2=
=80=90
    gle  line  that maps the writing process's effective user ID
    (group ID) in the parent user namespace to a user ID  (group
    ID) in the user namespace.

> So I guess neither solution of dropping or mapping supplementary
> groups will work completely unprivileged and the only solution is to
> modify or disable the coreutils test case.

Yes, I came to this conclusion as well.

I believe the attached Coreutils patch should fix that (yet to be
tested).  Would be worth reporting upstream as well because in a way
it=E2=80=99s a failure of the test framework.

Thanks,
Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/init.cfg b/init.cfg
index 856aa2ee7..e19ec5a31 100644
--- a/init.cfg
+++ b/init.cfg
@@ -488,7 +488,12 @@ require_membership_in_two_groups_()
 {
   test $# = 0 || framework_failure_
 
-  groups=${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)}
+  # Always pretend this user account is not a member of any
+  # supplementary group.  This avoids wrong expectations from tests
+  # when the supplementary group is the overflow GID as is the case
+  # when 'guix-daemon' runs as an unprivileged user that is part of
+  # supplementary groups such as 'kvm'.
+  groups=
   case "$groups" in
     *' '*) ;;
     *) skip_ 'requires membership in two groups

--=-=-=--

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 11:09:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 07:09:10 2025
Received: from localhost ([127.0.0.1]:58644 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u8dPB-00009m-JH
	for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:09:10 -0400
Received: from mout02.posteo.de ([185.67.36.66]:58019)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u8dP8-00008w-H7
 for 77862 <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:09:07 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id F4045240101
 for <77862 <at> debbugs.gnu.org>; Sat, 26 Apr 2025 13:08:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745665738; bh=gPb5rM9tVlld2zkLlzDJ7wFNh0Ljkwx5M8zWiYQX/r8=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=fORpmyYi9AjKVvjW2tAAngHupJ/AqSzXmoaHNHu1G3rNlGxzPdb/8U24kpAr9HV3q
 wRXhXwa2ah+24+utvTUJZDni0XYG6hDJ8S6YAg+6eFjRgYiQo2878SeJUkZEBl0+rK
 hK2qBcgkwo1HsiDKZvFiejuQ0ZJMmUCrz9vM3vOSLhd7cBkL98oqntB64mVk7OIepO
 l8e9n6PHUNXJKlPAkFFYk7KlHePUBb41gOxGrBvcBD2aS7TWHjoLQ+VAhL+V6yrgVO
 grs0s/UTY3mNflhQ0EXZULkQRVusIJSif1f8NfSg4mcHu23TvqCZE6F8SWSJdwOEI7
 FUCTkbyQYy5Fw==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zl6Qy27rmz9rxK;
 Sat, 26 Apr 2025 13:08:57 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 26 Apr 2025 11:08:57 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87h62b9uhg.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 <87h62b9uhg.fsf@HIDDEN>
Message-ID: <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

On 26.04.2025 10:50, Ludovic Court=C3=A8s wrote:

>> If there is no supplementary group reported by getgroups at all, then
>> coreutils just skips the test and it is ok again. Probably the
>> coreutils test case should remove any gid reported by getgroups that
>> is equal to the overflow gid before making that decision.
>>=20
>> Dropping all supplementary groups from the build process (after
>> unshare and before writing "deny" to /proc/pid/setgroups) would make
>> it so that this test case is always skipped by having getgroups only
>> report 30000, however that would also drop the kvm group as mentioned
>> above and is also not permitted in all environments (e.g. when the
>> parent namespace already set /proc/[pid]/setgroups to "deny").
>>=20
>> So I think that instead either all supplementary groups of the user or
>> at least the kvm group specifically needs to be mapped via
>> /proc/[pid]/gid_map. When doing so getgroups would report 30000 and
>> 984 (assuming identity gid map for 984) in your test case above and
>> the coreutils test case would work again, because
>>=20
>> chgrp 984 testfile
>>=20
>> would then succeed with 984 mapping back to the host namespace to a
>> supplementary group of the process.
>=20
> Having reread user_namespaces(7), I don=E2=80=99t think we can change the=
 set=20
> of
> supplementary groups at all: that effectively requires root privileges.
>=20
> So the best we can do is map the =E2=80=9Ckvm=E2=80=9D group inside the u=
ser namespace.

I also had another look and I missed that effectively CAP_SETGID is=20
required in the _parent_ namespace in order to use setgroups (because=20
otherwise writing "deny" to /proc/[pid]/setgroups is essentially=20
forced).

But the same seems to also be required to map more than the own=20
effective uid/gid of the process into the namespace.

Mapping more uids/gids is otherwise usually handled by a setuid utility=20
(newuidmap, newgidmap) I think.

So I guess neither solution of dropping or mapping supplementary groups=20
will work completely unprivileged and the only solution is to modify or=20
disable the coreutils test case.

And mapping only kvm wouldn't be sufficient either, unless only that=20
specific group would be supported. All supplementary groups of the=20
process must be mapped for the test case to succeed (or at least one of=20
them, I haven't checked by which rule the test cases chooses the gid for=20
the test scenario from among the supplementary gids).

Best,
keinflue

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 09:40:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 05:40:44 2025
Received: from localhost ([127.0.0.1]:58232 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u8c1b-0003On-Fz
	for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 05:40:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59028)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u8c1Z-0003OU-Gs
 for 77862 <at> debbugs.gnu.org; Sat, 26 Apr 2025 05:40:42 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u8c1S-00040P-Bm; Sat, 26 Apr 2025 05:40:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=rgXIfIGUY9WIp5wEIj7SOpHRcn0ELZmR+f4EAAwz5VI=; b=TzPll0T2tuvVmcJ95YNY
 HnGaa3ss6RMcpWt//hMI0VQaCMAovm5n89xE4+Xs+a2ORx3FlENak+++NUCF/F8oIY0W3+muvhCkE
 DvEcFyMaLvYOZTQ+W6qiJ+pTVzXYxG+jbQibhPcMA1uFPbzKsFvuTS5OYNAbfSaMThvqQ0NtffHgk
 FbvTPXJ2udFF0f2XtZsDjAvyVzXbog7iKUPKJiMGECJNhA8aQjxvFJmmgH8LL8JWImfFbqiC57a0S
 QFwNHtcgxYEJtH5bZkqaiXCkqTyueT3ZNxvUdkvEQELroWP4KaWspcFd2IMupce/evUE2BRiZ8HBP
 NFgBqg4rqYMkpw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
 (keinflue@HIDDEN's message of "Sat, 26 Apr 2025 00:23:01 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Septidi 7 =?utf-8?Q?Flor=C3=A9al?= an 233 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour du Muguet
Date: Sat, 26 Apr 2025 10:50:51 +0200
Message-ID: <87h62b9uhg.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

keinflue <keinflue@HIDDEN> writes:

>>   2. I=E2=80=99m confused as to what makes the Coreutils test suite fail.
>
> The result from getgroups includes both the primary gid 30000 and a
> supplementary gid 65534 (where the repeated 65534 are the overflow gid
> produced by viewing supplementary gids that aren't mapped into the
> user namespace via /proc/[pid]/gid_map).
> Coreutils sees this and so assumes that it can do the equivalent of
>
> touch testfile
> chgrp 65534 testfile
>
> to create a file owned by group 30000 initially and to then change
> group ownership of that file to 65534. Normally an unprivileged user
> is allowed to change group ownership of files they own between groups
> that they are member of, so this would always succeed outside a user
> namespace context.
>
> However, any uid/gid used inside the user namespace is translated back
> to the host namespace via the uid/gid_map before permission
> checks. But in this case because 65534 doesn't map back to any gid in
> the host namespace, the syscall will fail.

Oh right, got it.

> If there is no supplementary group reported by getgroups at all, then
> coreutils just skips the test and it is ok again. Probably the
> coreutils test case should remove any gid reported by getgroups that
> is equal to the overflow gid before making that decision.
>
> Dropping all supplementary groups from the build process (after
> unshare and before writing "deny" to /proc/pid/setgroups) would make
> it so that this test case is always skipped by having getgroups only
> report 30000, however that would also drop the kvm group as mentioned
> above and is also not permitted in all environments (e.g. when the
> parent namespace already set /proc/[pid]/setgroups to "deny").
>
> So I think that instead either all supplementary groups of the user or
> at least the kvm group specifically needs to be mapped via
> /proc/[pid]/gid_map. When doing so getgroups would report 30000 and
> 984 (assuming identity gid map for 984) in your test case above and
> the coreutils test case would work again, because
>
> chgrp 984 testfile
>
> would then succeed with 984 mapping back to the host namespace to a
> supplementary group of the process.

Having reread user_namespaces(7), I don=E2=80=99t think we can change the s=
et of
supplementary groups at all: that effectively requires root privileges.

So the best we can do is map the =E2=80=9Ckvm=E2=80=9D group inside the use=
r namespace.

> From a point of reproducibility and information leakage into the build
> container I think however that it would be preferable to not retain
> supplementary groups if possible. In contrast to the privileged build
> with a distinct build user that the can be given desired supplementary
> groups at will, the unprivileged environment may be one where the
> supplementary groups of the user running the daemon can't easily be
> changed to what is supposed to be seen in the build environment.

I agree, though in practice, the daemon will usually run under a
dedicated user anyway: this is what =E2=80=98guix-install.sh=E2=80=99 does =
on other
distros, and this is what happens with (privileged? #t) on Guix System.
In these cases, there=E2=80=99d be no observable difference.

The observable difference (namely getgroups(2) returning a list of
unmapped GIDs) would be when people run the daemon as their own user,
which is currently inconvenient.

> - I also noticed that the build container /etc/group is written with
>   65534 assumed as overflow gid. I am not sure whether anyone actually
>   does this, but the overflow uid/gid are technically configurable
>   (and retrievable) via sysctl entries
>   (/proc/sys/kernel/overflow(uid|gid)). 65534 is just the default
>  value.

Note that the =E2=80=9Cnobody=E2=80=9D UID in /etc/passwd dates back to bef=
ore the
unprivileged daemon implementation.  It just happens to match the
default overflow UID, but I agree we should use the right one here.

> - I also noticed that the operating-system defaults do not write an
>   entry for the overflow gid to /etc/group (while they do for the
>   overflow uid to /etc/passwd). I think such an entry should exist by
>   default as well. The entry for /etc/passwd also assumes the default
>   overflow uid of 65534. This isn't only relevant for a user namespace
>   context, but also file systems that can't map the whole range of
>  Linux uids/gids.

I=E2=80=99m not sure this needs to be changed because it=E2=80=99s not all =
that
different from the preexisting situation where =E2=80=9Ckvm=E2=80=9D would =
not have an
entry in /etc/group.

Thanks,
Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 00:23:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 25 20:23:14 2025
Received: from localhost ([127.0.0.1]:55234 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u8TK6-0007DF-1l
	for submit <at> debbugs.gnu.org; Fri, 25 Apr 2025 20:23:14 -0400
Received: from mout01.posteo.de ([185.67.36.65]:43271)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u8TK3-0007Cq-5V
 for 77862 <at> debbugs.gnu.org; Fri, 25 Apr 2025 20:23:12 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id A26BF240027
 for <77862 <at> debbugs.gnu.org>; Sat, 26 Apr 2025 02:23:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745626983; bh=4i1PG5YB2iJOe6lbFz2Dqf1Kxx8pjwNDbdLnd2EhCs8=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=WY2m+Kwz9J3W4WZ892ake7K1g+wad+uK6RTgZ2rF1dITy6V7OW6V7QFPCB4uqvIkh
 bBCT2Ryl2G23N/MEUKw6MuO9t6BtITKripibVj/cQFBaYdZt47UhnPg1aCaYMtuxre
 2pLXa2F8lY2MHcmaZ8bwlTaMu/AI2aRyeFT/LXT0o3dUIVzHjyHmyob3pEFhL6M0C5
 GelIKUrFqrFH0ZBWb9xm6mpnQfwt2I5lInBfYWtJ1Ytffa07PKdISiOYPJIxqRjveg
 gtlYjgKlFy+0IarNWH8h47IQklyYPPgzsqKrUehPmluPErfVLkV/mnsad7C6Z8lclm
 AdMKMxwgwYqiQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zkr5d5Hjfz6tw3;
 Sat, 26 Apr 2025 02:23:01 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 26 Apr 2025 00:23:01 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87selwccgu.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 <87selwccgu.fsf@HIDDEN>
Message-ID: <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

On 25.04.2025 20:39, Ludovic Court=C3=A8s wrote:
> Hi,
>=20
> I committed the /etc/group fix in
> 0d3bc50b0cffeae05beb12d0c270c6599186c0d7 together with a test.
>=20
> keinflue <keinflue@HIDDEN> writes:
>=20
>> I think this happens if the user running guix-daemon has supplementary
>> groups. These are not mapped via /proc/gid_map in the build container
>> and therefore are reported as the overflow gid (65534) by getgroups.
>>=20
>> The test cases assume that they can change ownership to this
>> additional group but that is not permitted on the overflow gid.
>>=20
>> I think supplementary groups should be dropped in the user namespace
>> for the build container to make the behavior
>> reproducible. Unfortunately this may be impossible if the parent
>> namespace has set /proc/[...]/setgroups to "deny".
>=20
> I came up with this test:
>=20
> --8<---------------cut here---------------start------------->8---
> (use-modules (guix)
>              (gcrypt hash)
>              (gnu packages bootstrap))
>=20
> (computed-file "kvm-access"
>                #~(begin
>                    (pk '#$(gettimeofday))
>                    (let ((st (stat "/dev/kvm")))
>                      (pk '/dev/kvm st)
>                      (pk '/dev/kvm:owner (stat:uid st) (stat:gid st))
>                      (pk 'getgroups (getgroups))
>                      ;; XXX: When running the daemon as root, /dev/kvm=20
> is
>                      ;; owned by UID 0, which has no entry in=20
> /etc/passwd.
>                      ;; (pk 'kvm-user (getpwuid (stat:uid st)))
>                      ;; xxx: /etc/group never contained an entry to the=
=20
> "kvm"
>                      ;; group so the thing below always failed.
>                      ;; (pk 'kvm-group (getgrgid (stat:gid st)))
>                      )
>                    (when (open-fdes "/dev/kvm" O_RDWR)
>                      (mkdir #$output)))
>                #:guile %bootstrap-guile)
> --8<---------------cut here---------------end--------------->8---
>=20
> Privileged:
>=20
> --8<---------------cut here---------------start------------->8---
> $ guix build -f ~/src/guix-debugging/dev-kvm-access.scm
> substitute: looking for substitutes on 'http://192.168.1.48:8123'...
> 0.0%guix substitute: warning: 192.168.1.48: connection failed:
> Connection timed out
> substitute:
> substitute: looking for substitutes on 'https://ci.guix.gnu.org'...=20
> 100.0%
> substitute: looking for substitutes on=20
> 'https://bordeaux.guix.gnu.org'... 100.0%
> substitute: looking for substitutes on
> 'https://guix.bordeaux.inria.fr'... 100.0%
> The following derivation will be built:
>   /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv
> substitute: looking for substitutes on 'http://192.168.1.48:8123'...  =20
> 0.0%
> building /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv...
>=20
> ;;; ((1745606160 . 233876))
>=20
> ;;; (/dev/kvm #(6 483 8624 1 0 984 2792 0 1745359386 1745359386
> 1745359386 4096 0 char-special 432 382791307 382791307 1745359386))
>=20
> ;;; (/dev/kvm:owner 0 984)
>=20
> ;;; (getgroups #(984 30000))
> successfully built=20
> /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv
> /gnu/store/36fin1iw2fh9066jg0y2fjd78j9wyjwp-kvm-access
> --8<---------------cut here---------------end--------------->8---
>=20
> Unprivileged:
>=20
> --8<---------------cut here---------------start------------->8---
> $ ./test-env guix build -f ~/src/guix-debugging/dev-kvm-access.scm
> accepted connection from pid 2591, user ludo
> accepted connection from pid 2601, user ludo
> substitute: guix substitute: warning: ACL for archive imports seems to
> be uninitialized, substitutes may be unavailable
> substitute: guix substitute: warning: authentication and authorization
> of substitutes disabled!
> The following derivation will be built:
>=20
> /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a=
ccess.drv
> substitute: guix substitute: warning: authentication and authorization
> of substitutes disabled!
> building
> /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a=
ccess.drv...
>=20
> ;;; ((1745606200 . 636919))
>=20
> ;;; (/dev/kvm #(6 483 8624 1 65534 65534 2792 0 1745359386 1745359386
> 1745359386 4096 0 char-special 432 382791307 382791307 1745359386))
>=20
> ;;; (/dev/kvm:owner 65534 65534)
>=20
> ;;; (getgroups #(65534 65534 65534 65534 65534 65534 65534 30000=20
> 65534))
> successfully built
> /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a=
ccess.drv
> /home/ludo/src/guix/test-tmp/store/ffh8zaw279dgdsh6q54mlldh4nikxiqp-kvm-a=
ccess
> --8<---------------cut here---------------end--------------->8---
>=20
> In both cases, /dev/kvm is accessible.
>=20
> In both cases, only the primary group has an entry in /etc/group;
> supplementary groups are lacking.
>=20
> So:
>=20
>   1. I don=E2=80=99t think we need to map the =E2=80=9Ckvm=E2=80=9D UID/G=
ID into the user
>      namespace;

For the purpose of the passive permission checks that is not necessary,=20
yes. There are no uids or gids being translated between the user=20
namespaces. However if all supplementary groups would be dropped, that=20
would include the kvm group and then this test will fail to access=20
/dev/kvm. That was the problem I saw with that first suggestion.

>   2. I=E2=80=99m confused as to what makes the Coreutils test suite fail=
=2E

The result from getgroups includes both the primary gid 30000 and a=20
supplementary gid 65534 (where the repeated 65534 are the overflow gid=20
produced by viewing supplementary gids that aren't mapped into the user=20
namespace via /proc/[pid]/gid_map).
Coreutils sees this and so assumes that it can do the equivalent of

touch testfile
chgrp 65534 testfile

to create a file owned by group 30000 initially and to then change group=20
ownership of that file to 65534. Normally an unprivileged user is=20
allowed to change group ownership of files they own between groups that=20
they are member of, so this would always succeed outside a user=20
namespace context.

However, any uid/gid used inside the user namespace is translated back=20
to the host namespace via the uid/gid_map before permission checks. But=20
in this case because 65534 doesn't map back to any gid in the host=20
namespace, the syscall will fail.

If there is no supplementary group reported by getgroups at all, then=20
coreutils just skips the test and it is ok again. Probably the coreutils=20
test case should remove any gid reported by getgroups that is equal to=20
the overflow gid before making that decision.

Dropping all supplementary groups from the build process (after unshare=20
and before writing "deny" to /proc/pid/setgroups) would make it so that=20
this test case is always skipped by having getgroups only report 30000,=20
however that would also drop the kvm group as mentioned above and is=20
also not permitted in all environments (e.g. when the parent namespace=20
already set /proc/[pid]/setgroups to "deny").

So I think that instead either all supplementary groups of the user or=20
at least the kvm group specifically needs to be mapped via=20
/proc/[pid]/gid_map. When doing so getgroups would report 30000 and 984=20
(assuming identity gid map for 984) in your test case above and the=20
coreutils test case would work again, because

chgrp 984 testfile

would then succeed with 984 mapping back to the host namespace to a=20
supplementary group of the process.

 From a point of reproducibility and information leakage into the build=20
container I think however that it would be preferable to not retain=20
supplementary groups if possible. In contrast to the privileged build=20
with a distinct build user that the can be given desired supplementary=20
groups at will, the unprivileged environment may be one where the=20
supplementary groups of the user running the daemon can't easily be=20
changed to what is supposed to be seen in the build environment.

The contents of /etc/group are not relevant for this test case failure,=20
they are never consulted.

But a few other asides (for which I don't necessarily think anything=20
should be changed):

- I also noticed that the build container /etc/group is written with=20
65534 assumed as overflow gid. I am not sure whether anyone actually=20
does this, but the overflow uid/gid are technically configurable (and=20
retrievable) via sysctl entries (/proc/sys/kernel/overflow(uid|gid)).=20
65534 is just the default value.

- I also noticed that the operating-system defaults do not write an=20
entry for the overflow gid to /etc/group (while they do for the overflow=20
uid to /etc/passwd). I think such an entry should exist by default as=20
well. The entry for /etc/passwd also assumes the default overflow uid of=20
65534. This isn't only relevant for a user namespace context, but also=20
file systems that can't map the whole range of Linux uids/gids.

> It would still be good to drop any supplementary group other than =E2=80=
=9Ckvm=E2=80=9D
> though.
>=20
> WDYT?
>=20
> Thanks,
> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 25 Apr 2025 18:39:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 25 14:39:58 2025
Received: from localhost ([127.0.0.1]:52899 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u8Nxt-0006Fe-Ph
	for submit <at> debbugs.gnu.org; Fri, 25 Apr 2025 14:39:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48720)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u8Nxp-0006Ep-NO
 for 77862 <at> debbugs.gnu.org; Fri, 25 Apr 2025 14:39:54 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u8Nxk-0006eB-CU; Fri, 25 Apr 2025 14:39:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=dqgcacmwetH+2R3rPgHxU0UXSgVP3GeAzOSZB9ZVNRQ=; b=TtmzwBNxmMqP2Gt0q+ya
 PzzcoMBA7OOL8wwmWkahtJZmGUbeeUMkLxLLIU1VOpezqoLhN2Hks+GP72ML8Vv0wIc3ZP7Jlnm4/
 e8P63doOoYCC91nzdhbnXI2oHxAHjYWzPn2dFeqnVYk0Bj/pTRJgXhkJMTPGDsq035Y04GVZiLGzO
 dlBtSUxNKKRatMFdq9znjhS9quMetl60cs669pIUgbMu9BeZ5Dxwk48yniyGIfPSeHSrD+lQe1Sgj
 md3jTLCgSuZEG4HDK0cP+w1eed12DVm5s5A3kXVTA4Hz2y95pXCABLK+kfeQ2e//pjlgtDl2+bDjh
 hEB0BpYjVcVfxw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
 (keinflue@HIDDEN's message of "Sat, 19 Apr 2025 11:18:51 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Sextidi 6 =?utf-8?Q?Flor=C3=A9al?= an 233 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour de l'Ancolie
Date: Fri, 25 Apr 2025 20:39:29 +0200
Message-ID: <87selwccgu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

I committed the /etc/group fix in
0d3bc50b0cffeae05beb12d0c270c6599186c0d7 together with a test.

keinflue <keinflue@HIDDEN> writes:

> I think this happens if the user running guix-daemon has supplementary
> groups. These are not mapped via /proc/gid_map in the build container
> and therefore are reported as the overflow gid (65534) by getgroups.
>
> The test cases assume that they can change ownership to this
> additional group but that is not permitted on the overflow gid.
>
> I think supplementary groups should be dropped in the user namespace
> for the build container to make the behavior
> reproducible. Unfortunately this may be impossible if the parent
> namespace has set /proc/[...]/setgroups to "deny".

I came up with this test:

--8<---------------cut here---------------start------------->8---
(use-modules (guix)
             (gcrypt hash)
             (gnu packages bootstrap))

(computed-file "kvm-access"
               #~(begin
                   (pk '#$(gettimeofday))
                   (let ((st (stat "/dev/kvm")))
                     (pk '/dev/kvm st)
                     (pk '/dev/kvm:owner (stat:uid st) (stat:gid st))
                     (pk 'getgroups (getgroups))
                     ;; XXX: When running the daemon as root, /dev/kvm is
                     ;; owned by UID 0, which has no entry in /etc/passwd.
                     ;; (pk 'kvm-user (getpwuid (stat:uid st)))
                     ;; xxx: /etc/group never contained an entry to the "kv=
m"
                     ;; group so the thing below always failed.
                     ;; (pk 'kvm-group (getgrgid (stat:gid st)))
                     )
                   (when (open-fdes "/dev/kvm" O_RDWR)
                     (mkdir #$output)))
               #:guile %bootstrap-guile)
--8<---------------cut here---------------end--------------->8---

Privileged:

--8<---------------cut here---------------start------------->8---
$ guix build -f ~/src/guix-debugging/dev-kvm-access.scm
substitute: looking for substitutes on 'http://192.168.1.48:8123'...   0.0%=
guix substitute: warning: 192.168.1.48: connection failed: Connection timed=
 out
substitute:=20
substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0%
substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 1=
00.0%
substitute: looking for substitutes on 'https://guix.bordeaux.inria.fr'... =
100.0%
The following derivation will be built:
  /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv
substitute: looking for substitutes on 'http://192.168.1.48:8123'...   0.0%
building /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv...

;;; ((1745606160 . 233876))

;;; (/dev/kvm #(6 483 8624 1 0 984 2792 0 1745359386 1745359386 1745359386 =
4096 0 char-special 432 382791307 382791307 1745359386))

;;; (/dev/kvm:owner 0 984)

;;; (getgroups #(984 30000))
successfully built /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.d=
rv
/gnu/store/36fin1iw2fh9066jg0y2fjd78j9wyjwp-kvm-access
--8<---------------cut here---------------end--------------->8---

Unprivileged:

--8<---------------cut here---------------start------------->8---
$ ./test-env guix build -f ~/src/guix-debugging/dev-kvm-access.scm
accepted connection from pid 2591, user ludo
accepted connection from pid 2601, user ludo
substitute: guix substitute: warning: ACL for archive imports seems to be u=
ninitialized, substitutes may be unavailable
substitute: guix substitute: warning: authentication and authorization of s=
ubstitutes disabled!
The following derivation will be built:
  /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a=
ccess.drv
substitute: guix substitute: warning: authentication and authorization of s=
ubstitutes disabled!
building /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcj=
p-kvm-access.drv...

;;; ((1745606200 . 636919))

;;; (/dev/kvm #(6 483 8624 1 65534 65534 2792 0 1745359386 1745359386 17453=
59386 4096 0 char-special 432 382791307 382791307 1745359386))

;;; (/dev/kvm:owner 65534 65534)

;;; (getgroups #(65534 65534 65534 65534 65534 65534 65534 30000 65534))
successfully built /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpli=
iwk81bvrcjp-kvm-access.drv
/home/ludo/src/guix/test-tmp/store/ffh8zaw279dgdsh6q54mlldh4nikxiqp-kvm-acc=
ess
--8<---------------cut here---------------end--------------->8---

In both cases, /dev/kvm is accessible.

In both cases, only the primary group has an entry in /etc/group;
supplementary groups are lacking.

So:

  1. I don=E2=80=99t think we need to map the =E2=80=9Ckvm=E2=80=9D UID/GID=
 into the user
     namespace;

  2. I=E2=80=99m confused as to what makes the Coreutils test suite fail.

It would still be good to drop any supplementary group other than =E2=80=9C=
kvm=E2=80=9D
though.

WDYT?

Thanks,
Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 14:37:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 10:37:15 2025
Received: from localhost ([127.0.0.1]:35125 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u69Jg-0002PA-Gs
	for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 10:37:15 -0400
Received: from mout02.posteo.de ([185.67.36.66]:54725)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u69Jb-0002OT-9t
 for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 10:37:10 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id E7751240103
 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 16:36:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745073419; bh=ak3//9WGeWU5D9J3iNq+Wv/wBHs8DY77jaK+zNssUYs=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=j98pob3PP+PeijtZArymNA7QS7XKtBJQ2VDdxBfEWwLLEq3zXp03TOlQ6xwQRN07k
 przSZR91yuEkVw/jrZ61x/Y5fD7vQs8hzjhRlHEC6y9bhcqVbKCoW72yUHl57s2KAT
 h7czAj6lgtRzBZK+zYiBjCU78PLWQ9ppZW+SDKq1rFBsKV0DgZ9EwBsqpgxgX429+x
 hXejOv0h93cFwbIt/+E9euS3cmSkrFuyXdo4AKlP1IHD7QZVGFzNfv0OmRWsIOGaYP
 mG2o0qPzLTTGE614tT3X8s4YorAEmY7H912PEwoZvkY3jDHZL2jaaxRZObU7K/fCN3
 hscI2qzuFa/sA==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4ZfvNC0S86z6tyc;
 Sat, 19 Apr 2025 16:36:59 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 19 Apr 2025 14:36:59 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
Message-ID: <9b324ff4015e176164829814dfe5cd43@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

I just realized that there is also need for special handling of=20
/dev/kvm. When running with privileges it was possible to add the build=20
users to the kvm group to get access to /dev/kvm in the build container.

To have this continue to work in unprivileged mode, the kvm group (or I=20
guess more specifically the group of /dev/kvm) should be mapped in the=20
user namespace and presumably should not be dropped from supplementary=20
groups.

There is also /dev/tty in the container which has unmapped group=20
ownership, although that doesn't prevent access to it.

Alternatively I guess all supplementary groups could be preserved, but=20
they should then also all be mapped into the user namespace. Then the=20
user would have to drop supplementary groups manually (if they are able=20
to) before running guix-daemon if they do not want any of them to=20
propagate into the build environment and can't create a new user=20
specifically for that purpose (e.g. because they do not have root access=20
on the machine).

On 19.04.2025 13:18, keinflue wrote:
> I can confirm that the patch resolves the particular failing test.
>=20
> However I overlooked that there are other failing tests:
>=20
>> FAIL: tests/chgrp/default-no-deref.sh
>> FAIL: tests/chgrp/no-x.sh
>> FAIL: tests/chgrp/posix-H.sh
>> FAIL: tests/chgrp/recurse.sh
>> FAIL: tests/chgrp/basic.sh
>=20
> Here is an example of the failures:
>=20
>> + require_membership_in_two_groups_
>> + test 0 =3D 0
>> + groups=3D'30000 65534'
>> + case "$groups" in
>> + require_local_dir_
>> + require_mount_list_
>> + local 'mount_list_fail=3Dcannot read table of mounted file systems'
>> + df --local
>> + grep -F 'cannot read table of mounted file systems'
>> + is_local_dir_ .
>> + test 1 =3D 1
>> + df --local .
>> + set _ 30000 65534
>> + shift
>> + g2=3D65534
>> + mkdir d
>> + touch f
>> + ln -s ../f d/s
>> ++ stat --printf=3D%g f
>> + g_init=3D30000
>> + chgrp -R 65534 d
>> chgrp: changing group of 'd/s': Invalid argument
>> chgrp: changing group of 'd': Invalid argument
>> + fail=3D1
>> ++ stat --printf=3D%g f
>> + test 30000 =3D 30000
>> + Exit 1
>> + set +e
>> + exit 1
>> + exit 1
>> + remove_tmp_
>> + __st=3D1
>> + cleanup_
>> + :
>> + test '' =3D yes
>> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1
>> + chmod -R u+rwx=20
>> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
>> + rm -rf=20
>> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
>> + exit 1
>> FAIL tests/chgrp/default-no-deref.sh (exit status: 1)
>=20
> I think this happens if the user running guix-daemon has supplementary
> groups. These are not mapped via /proc/gid_map in the build container
> and therefore are reported as the overflow gid (65534) by getgroups.
>=20
> The test cases assume that they can change ownership to this
> additional group but that is not permitted on the overflow gid.
>=20
> I think supplementary groups should be dropped in the user namespace
> for the build container to make the behavior reproducible.
> Unfortunately this may be impossible if the parent namespace has set
> /proc/[...]/setgroups to "deny".
>=20
> Best,
> keinflue
>=20
> On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote:
>> keinflue <keinflue@HIDDEN> writes:
>>=20
>>> Here are excerpts from the build log:
>>=20
>> Thanks.
>>=20
>>> Unfortunately I made a mistake and accidentally lost the container in
>>> which I tried this, so I can not verify right now whether the patch
>>> actually resolves the issue.
>>>=20
>>> It might take me a day or two to restore it.
>>=20
>> No worries, I=E2=80=99ll wait for your feedback.
>>=20
>>> This happened either during or shortly after bootstrap builds, so I
>>> don't know whether this was the final coreutils package or one from
>>> commencement.scm.
>>=20
>> OK.
>>=20
>> If you have a setup for full rebuilds (no substitutes) running in a
>> container, I=E2=80=99m curious to learn more about it!
>>=20
>> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 11:48:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 07:48:49 2025
Received: from localhost ([127.0.0.1]:59141 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u66gi-0007GA-KG
	for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:48:48 -0400
Received: from mout02.posteo.de ([185.67.36.66]:42557)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u66gg-0007Fn-62
 for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:48:46 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id E40B1240101
 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 13:48:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745063319; bh=Q5WPoa+Fv8rzz5JKzI0JaP0mknyxRSHFYjtOcL7BxBY=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=k2B7+QC7ev+FirqA9Rz8yf9c6RZrhMuDEifAcGhNf0L9o15XywX3I0JYPSu4Fj0+S
 jHmSLz8U+q4FPL2KbBjJPPrG53veUnBARqJh6BdSBZuIt6yy7ETHmI9+iHwqcMOQqo
 3en0qJ8AyfRgl8yB7Il7b+hNbhwQeqFoNPH24Rm2HyEyf+PcFdQ4iboGSYCDLR2+qs
 SmOICQuhbtlXfyJFD5pbIJMWrXpstQRhY5b8baEnpKan/AET6MCcnba4Y3eCYdkUyH
 wIuq+l8ertP95TCwV4P6WeoS4y708GbEaXqPHqgfn8K0RiuK35rCMsmkZamN7J9CB2
 jGNiM3zBKVa6Q==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zfqdz2pP5z6tvc;
 Sat, 19 Apr 2025 13:48:39 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 19 Apr 2025 11:48:39 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87a58e3f4q.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN>
Message-ID: <6bbd118c38ab49593cce3749029569c8@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote:
> keinflue <keinflue@HIDDEN> writes:
>=20
>> Here are excerpts from the build log:
>=20
> Thanks.
>=20
>> Unfortunately I made a mistake and accidentally lost the container in
>> which I tried this, so I can not verify right now whether the patch
>> actually resolves the issue.
>>=20
>> It might take me a day or two to restore it.
>=20
> No worries, I=E2=80=99ll wait for your feedback.
>=20
>> This happened either during or shortly after bootstrap builds, so I
>> don't know whether this was the final coreutils package or one from
>> commencement.scm.
>=20
> OK.
>=20
> If you have a setup for full rebuilds (no substitutes) running in a
> container, I=E2=80=99m curious to learn more about it!

I basically just used "guix shell -CN -D guix" plus some extra packages=20
and shares. Inside the container I built and ran guix from git with=20
--with-store-dir and NIX_STORE set to a different path than /gnu/store.=20
Initially I forgot to add a share for /var which is why I unfortunately=20
broke the container once I existed it.

> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 11:19:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 07:19:09 2025
Received: from localhost ([127.0.0.1]:58950 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u66Dy-00088Q-2j
	for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:09 -0400
Received: from mout01.posteo.de ([185.67.36.65]:53501)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u66Dr-000864-Lw
 for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:03 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 33B35240027
 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 13:18:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745061533; bh=u41wj5gqkR17qOffRrqKQKTQ/byqKw8Oh31b6QSu4RY=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=Fipf/4PUaLRRuXTLuG03vy6uHG2GukTsdAzVcxlcYHeqeWPaY5AxLuE8OHcBsFmtK
 xkkg82fEX9LbJtRuqN6bYs/Tyd4gGX/tzSvjpeXytRJj6s7HVdMGOMOmtdqVigfNe6
 i/l3AoZ3Rmje2QofXfVXnur1Z1f/Mw2mdzbe9mLzFWOeeoPAEJUa8WcKPe3SJOrBBG
 FCT8NNp2XrugG/ynjXWe95qualPdvJ1tjeiRObJ7YluRyVviEOetZWQHerDY5+ab/d
 OhdJUmmxM1WO5p6nN3lR3mrd3N7yHyyYpR1xvVWnBOQWcErtooc/ReAgn8nAOTN9Ox
 AhQVYg81jApQQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zfpzc00Cvz6tsb;
 Sat, 19 Apr 2025 13:18:51 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 19 Apr 2025 11:18:51 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87a58e3f4q.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN>
Message-ID: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

I can confirm that the patch resolves the particular failing test.

However I overlooked that there are other failing tests:

> FAIL: tests/chgrp/default-no-deref.sh
> FAIL: tests/chgrp/no-x.sh
> FAIL: tests/chgrp/posix-H.sh
> FAIL: tests/chgrp/recurse.sh
> FAIL: tests/chgrp/basic.sh

Here is an example of the failures:

> + require_membership_in_two_groups_
> + test 0 =3D 0
> + groups=3D'30000 65534'
> + case "$groups" in
> + require_local_dir_
> + require_mount_list_
> + local 'mount_list_fail=3Dcannot read table of mounted file systems'
> + df --local
> + grep -F 'cannot read table of mounted file systems'
> + is_local_dir_ .
> + test 1 =3D 1
> + df --local .
> + set _ 30000 65534
> + shift
> + g2=3D65534
> + mkdir d
> + touch f
> + ln -s ../f d/s
> ++ stat --printf=3D%g f
> + g_init=3D30000
> + chgrp -R 65534 d
> chgrp: changing group of 'd/s': Invalid argument
> chgrp: changing group of 'd': Invalid argument
> + fail=3D1
> ++ stat --printf=3D%g f
> + test 30000 =3D 30000
> + Exit 1
> + set +e
> + exit 1
> + exit 1
> + remove_tmp_
> + __st=3D1
> + cleanup_
> + :
> + test '' =3D yes
> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1
> + chmod -R u+rwx=20
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
> + rm -rf=20
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
> + exit 1
> FAIL tests/chgrp/default-no-deref.sh (exit status: 1)

I think this happens if the user running guix-daemon has supplementary=20
groups. These are not mapped via /proc/gid_map in the build container=20
and therefore are reported as the overflow gid (65534) by getgroups.

The test cases assume that they can change ownership to this additional=20
group but that is not permitted on the overflow gid.

I think supplementary groups should be dropped in the user namespace for=20
the build container to make the behavior reproducible. Unfortunately=20
this may be impossible if the parent namespace has set=20
/proc/[...]/setgroups to "deny".

Best,
keinflue

On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote:
> keinflue <keinflue@HIDDEN> writes:
>=20
>> Here are excerpts from the build log:
>=20
> Thanks.
>=20
>> Unfortunately I made a mistake and accidentally lost the container in
>> which I tried this, so I can not verify right now whether the patch
>> actually resolves the issue.
>>=20
>> It might take me a day or two to restore it.
>=20
> No worries, I=E2=80=99ll wait for your feedback.
>=20
>> This happened either during or shortly after bootstrap builds, so I
>> don't know whether this was the final coreutils package or one from
>> commencement.scm.
>=20
> OK.
>=20
> If you have a setup for full rebuilds (no substitutes) running in a
> container, I=E2=80=99m curious to learn more about it!
>=20
> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 19:49:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 15:49:32 2025
Received: from localhost ([127.0.0.1]:48476 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5VEl-0000ew-Rs
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:31 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48212)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5VEg-0000cu-3H
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:24 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u5VEY-0001ai-AP; Thu, 17 Apr 2025 15:49:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=wYU0GrV6wjpP3OK4HOtcXzEamjhNihygC99zgCwo9aA=; b=oA7R+wOLhyA4wT1I2gRF
 Sq/WSXHmvOtlS3Stlplzg56BpjDWeru9PYkjNd99xtzmTNFeVI9JrSA1N94TpanSUG9PhOo2pdUVz
 zBE16xad0QtqqnQ/C86z1/6pVLestnm6ynK8F3c3BPQFakSyXNRzFd8Hud5Pwwl7u18bfmtdNiulN
 mYaWEo6xMDsYVRVOLPR/31TwRsZ9Atp1clJR/cob6vfUnNobkVnRYDXECjQqpCydPCm2p0cyyhirm
 cPshRmYvna01KVS65mbHkFsEA4u0NDANqkq3mWKn6gHUa4Z6y7g3sAfrFlfvbXDM/5VSDrMHHPx1G
 xLA59GtXt5d5NA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 15:36:32 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?=
 =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?=
Date: Thu, 17 Apr 2025 18:51:49 +0200
Message-ID: <87a58e3f4q.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

keinflue <keinflue@HIDDEN> writes:

> Here are excerpts from the build log:

Thanks.

> Unfortunately I made a mistake and accidentally lost the container in
> which I tried this, so I can not verify right now whether the patch
> actually resolves the issue.
>
> It might take me a day or two to restore it.

No worries, I=E2=80=99ll wait for your feedback.

> This happened either during or shortly after bootstrap builds, so I
> don't know whether this was the final coreutils package or one from
> commencement.scm.

OK.

If you have a setup for full rebuilds (no substitutes) running in a
container, I=E2=80=99m curious to learn more about it!

Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 15:36:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 11:36:45 2025
Received: from localhost ([127.0.0.1]:48146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5RIC-0004r0-66
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:44 -0400
Received: from mout02.posteo.de ([185.67.36.66]:47725)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u5RI8-0004pz-BG
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:41 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 0E237240101
 for <77862 <at> debbugs.gnu.org>; Thu, 17 Apr 2025 17:36:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1744904194; bh=sEwaj+QNX/WrZTfR/JqlI2Kus3utizJ9IWYOaZ8vHnk=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=QSs9wndeWwy7WwHi9oTVwrCJYA11E7WcjF4KuNIG6UvY+0IEEdiUZRduUyDgWZJ+X
 SimGggKoqC4Cg4uHG4X+mD1lXzWy+uL2OuhEV3lnG4qBr6czhBB8QHMvFE7CrkQc6z
 IuEkKZccavDbjMUxfND6AoBzy1WfGePGWtmsjleOZdG2lwlnzSN+5OljaaxuQbDXPG
 2PktJlDChPN4l9pd//hd/8EHTwVLizGzZHAdHZM6iTVkzaV8cOG+PiqPJUVR5U2n1E
 cJGqh+0Mwmh6dUIQs4WvGOvd9mxssBq4On+AZXHbMEmKEACwxggOblmXz0wMn5peJg
 W6jauivqxOGbQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zdhns1FJrz9rxK;
 Thu, 17 Apr 2025 17:36:32 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 17 Apr 2025 15:36:32 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <878qny530h.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN>
Message-ID: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Here are excerpts from the build log:

> ERROR: tests/chown/separator
> ============================
> 
> ++ initial_cwd_=/tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1

[...]

> ++ id -u
> + id_u=30001
> + test -n 30001
> ++ id -un
> + id_un=nixbld
> + test -n nixbld
> ++ id -g
> + id_g=30000
> + test -n 30000
> ++ id -gn
> id: cannot find name for group ID 30000
> + id_gn=30000
> + framework_failure_
> + warn_ 'separator.sh: set-up failure: '
> + case $IFS in
> + printf '%s\n' 'separator.sh: set-up failure: '
> separator.sh: set-up failure:
> + test 9 = 2
> + printf '%s\n' 'separator.sh: set-up failure: '
> + sed 1q
> + Exit 99
> + set +e
> + exit 99
> + exit 99
> + remove_tmp_
> + __st=99
> + cleanup_
> + :
> + test '' = yes
> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1
> + chmod -R u+rwx 
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W
> + rm -rf 
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W
> + exit 99
> ERROR tests/chown/separator.sh (exit status: 99)

[...]

> error: in phase 'check': uncaught exception:
> srfi-34 #<condition &invoke-error [program: "make" arguments: ("check" 
> "-j" "16") exit-status: 2 term-signal: #f stop-signal: #f] 2df6100> >
> phase `check' failed after 15.2 seconds
> command "make" "check" "-j" "16" failed with status 2
> build process 2 exited with status 256

Yes, I believe the patch as suggested is correct (with my limited 
understanding given that the lines above were changed in the same way).

Unfortunately I made a mistake and accidentally lost the container in 
which I tried this, so I can not verify right now whether the patch 
actually resolves the issue.

It might take me a day or two to restore it.

This happened either during or shortly after bootstrap builds, so I 
don't know whether this was the final coreutils package or one from 
commencement.scm.

Best,
keinflue

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 14:24:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 10:24:47 2025
Received: from localhost ([127.0.0.1]:48035 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5QAY-00057A-Ax
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45748)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5QAS-00055J-0G
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u5QAM-0001sn-BP; Thu, 17 Apr 2025 10:24:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=Gn7EZbmDjBFOb8qzkMA6g7bAntClza2m7f6aaKj90fw=; b=L+O5S1iqcbkZoMe9SvLc
 wmDx/92l09g1WaGLa77PcjF6k3kARPApOg7zWTBorsZ6+FfyAeZkRFslyyXfnpmS29tloIjwwc/MB
 JNEiCI3xt5SeNAoGR90cUPFFlgHKjFmC0H9+zY/eIw0Uky6U6XxHZXQZ8Uu6CMeOPHDgXRT8U+9Qw
 EitH0PCdNofq5AV+SK1bntuFvdMsP890YkKjmK69TBVjKo+Y72ECfPLWFVd7s1bbgkmjjkKJFGr4B
 XpAXSN4bXT53YsPhHf5iLKFZPv9vzY055hiq0TeBdCYkYkqMpakk/fEJpRA9Pn2XTyhljBKfmCQhk
 mG0Fi7x2FRaWRA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 11:20:47 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?=
 =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?=
Date: Thu, 17 Apr 2025 15:30:38 +0200
Message-ID: <878qny530h.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain

Hi,

keinflue <keinflue@HIDDEN> writes:

> When using the new ability of guix-daemon to run as non-root with the
> help of user namespaces, the testsuite of coreutils fails.

Could you include a build log snippet?  (Also useful to have it inline
so that someone searching for discussions about the bug can find it.)

> This is because the daemon incorrectly uses the host GID instead of
> the guest GID in the build container's /etc/group, which the testsuite
> uses to lookup the group's name via id -gn.

I believe the fix you suggest is this:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 4ee4a1ae5f..a1f39d9a8b 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder()
            view of the system (e.g., "id -gn"). */
         writeFile(chrootRootDir + "/etc/group",
             (format("nixbld:!:%1%:\n")
-                % (buildUser.enabled() ? buildUser.getGID() : getgid())).str());
+                % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str());
 
         /* Create /etc/hosts with localhost entry. */
         if (!fixedOutput)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Correct?

Thanks,
Ludo=E2=80=99.

--=-=-=--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 17 Apr 2025 11:21:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 07:21:07 2025
Received: from localhost ([127.0.0.1]:46010 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5NIn-0006zb-Pe
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:07 -0400
Received: from lists.gnu.org ([2001:470:142::17]:58714)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u5NIj-0006xx-M9
 for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>)
 id 1u5NId-0007X8-Rr
 for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400
Received: from mout01.posteo.de ([185.67.36.65])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>)
 id 1u5NIb-0000NE-JI
 for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id B6F34240027
 for <bug-guix@HIDDEN>; Thu, 17 Apr 2025 13:20:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1744888848; bh=0Zp9kpsVDM1yjzbuhfYuBVA+d731mZtyED2j870JAvk=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=Lhruc/+YeNtbuoXXKLC+O9dys5LZhItPtcBcSPrVHh/+ALrqphfZ2afqqINKkso33
 ljG5DGerEEjAkkE6+LLGeaL/asXbPYHmMb659D8c6/8aHJ4aGHuZdL+2oCEzwJJMX4
 96MAntljylj1psuGKM8xPO2tppP+w0rCMXDE6F/Q1XCaYYqk3cKY6f87RQf3fqzg8f
 UuEfDETOrxN+fOqbkOHiXNda3v5mQrqUPhG5O7H65yUt42y1U4jcsO1hWjLEt+YRfi
 QZjXsEBuR2EMYdDz8RCvQxMJUqxmXK7MlkgAUmkog+RMchjOMss73JbPYYnVVhR/0/
 gUV8tsPGF5izg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zdb6m0z5rz9rxM;
 Thu, 17 Apr 2025 13:20:47 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 17 Apr 2025 11:20:47 +0000
From: keinflue <keinflue@HIDDEN>
To: bug-guix@HIDDEN
Subject: guix-daemon run as non-root sets up /etc/group incorrectly in build
 container
Message-ID: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=185.67.36.65; envelope-from=keinflue@HIDDEN;
 helo=mout01.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
Cc: ludo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

When using the new ability of guix-daemon to run as non-root with the 
help of user namespaces, the testsuite of coreutils fails.

This is because the daemon incorrectly uses the host GID instead of the 
guest GID in the build container's /etc/group, which the testsuite uses 
to lookup the group's name via id -gn.