Received: (at 77862) by debbugs.gnu.org; 3 Jun 2025 13:05:57 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 03 09:05:57 2025 Received: from localhost ([127.0.0.1]:33288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uMRL0-000879-2B for submit <at> debbugs.gnu.org; Tue, 03 Jun 2025 09:05:56 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]:56080) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <reepca@HIDDEN>) id 1uMRKq-000855-OG for 77862 <at> debbugs.gnu.org; Tue, 03 Jun 2025 09:05:50 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FzDctlFE64VVVqI/PuHtMa3A7aLpM/0tqnL89/Mn/IE=; b=hhRN/vk5J0ywVs6lutXtvrzusN Y66a74z8FCSqE2yzAY4ObtOeUMlK99lPlNQsNDy84jvX8WH/AwOxHUW2kvCg==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FzDctlFE64VVVqI/PuHtMa3A7aLpM/0tqnL89/Mn/IE=; b=DBnw1T+SnL1RIMMajaAiBThVSa MXo7djHr/kvmT5BrDVTgyubKr22csVg1j38itY/2aOxnrKjZWCJRMgDUbhpthYblWCOKWdzox+iHw VwhTUKbky2dWI6aWle14rj48isjv8l0VT8KIv2OZ4pCgcDFapBQ/hFr+E/FRVlx/eLXiAv8Esbuxc j7WXhgBDfo04mZVtPN3mMB0cotFOQiC21fN7Q8bjkd80G3fJotLtACAvf0p+riic/UCyVo8WMAGLb 0tFZZolmVa7/FB4H0ADaWQ5QjOq0ypkgk+PmLh8MYwQuV2Df3EkMU/U4Qw/oWkpeCS4/YJr8c1qTW 1huGD3j1A8u1Gx2PWbYSgmCmpeHrnXrh99l1FZxS1ZhMZbadG+3u/7pu81Da5WTqYO9v5u5T/CX6X i808Bh7DTO+ORw1i3spuZK1zTNTezb2PQZWXM0B1B5K1Iv8qCLCSmF6mxLxmtjzZlz0XXyHfuJCgo 165SLD7OrSFiYddDK6mSQHV8C5TxOf1ggemL81+mdzXUcfKrQD70CoYru++2dTqIF2Zxp2Vcoj2yF 2VIB4OS855SCen9GLgBElgBzhDGY7WxMgAOcbVIgT9H3t7W8yAf6XOlNEbSiEe/AagAgi1Dj/lrig s3IBhfplPH6V5hTgvDwSQtPMHKrsGEJcORL64iv5k=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from <reepca@HIDDEN>) id 1uMRKi-0000000056m-1gfu; Tue, 03 Jun 2025 08:05:36 -0500 From: Reepca Russelstein <reepca@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87ecw1onun.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 02 Jun 2025 23:06:08 +0200") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN> <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN> <875xhw84w7.fsf@HIDDEN> <87ecw1onun.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Tue, 03 Jun 2025 08:05:21 -0500 Message-ID: <87a56pq8ku.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.5 X-Spam-Bar: / X-Spam-Score-Int: 5 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > > Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that, by calling out to ‘newuidmap†[...] Content analysis details: (0.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > > Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that, by calling out to ‘newuidmap†[...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: russelstein.xyz (xyz)] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 77862 Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hey Reepca, > > Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Courtès <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that, by calling out to ‘newuidmap†[...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: russelstein.xyz (xyz)] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > Hey Reepca, > > Reepca Russelstein <reepca@HIDDEN> writes: > >> Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > > [...] > >>> The attached patch tries to do that, by calling out to =E2=80=98newuidm= ap=E2=80=99, and >>> under the assumption that /etc/subgid allows mapping the =E2=80=98kvm= =E2=80=99 group. >>> >>> It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), b= ut I couldn=E2=80=99t get >>> the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (th= e call that is >>> made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80= =9D there. >>> >>> The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80= =98newgidmap=E2=80=99 setuid >>> binary is not longer accessible because we=E2=80=99re already in a chro= ot, so it >>> seems that we cannot preserve the GID map. >> >> ... and even if we had the setuid binary accessible (for example via a >> saved file descriptor that could be used with execveat, or a >> bind-mount), it wouldn't be of any use at this point because (man >> user_namespaces): >> >> "if either the user or the group ID of the file has no mapping inside >> the namespace, the set-user-ID (set-group- ID) bit is silently ignored: >> the new program is executed, but the process's effective user (group) ID >> is left unchanged." >> >> Naturally, uid 0 isn't going to be mapped! In fact, more generally, >> newuidmap and newgidmap can't ever be used from within an uninitialized >> user namespace, since by definition uid 0 isn't yet mapped in it. >> >> So it falls to the parent process to do the initialization - that is, it >> now has to do the initialization twice. Of course, it's going to need >> some way of knowing when the second user namespace has been created, and >> the child is going to need some way of knowing when it's been >> initialized, so we'll need to either use two pipes or switch to using a >> socketpair. > > That makes sense, thanks for explaining! > > However, I think part of the rules still don=E2=80=99t fit in my head. H= ere=E2=80=99s > what I have now (parent is 6929): > > 6929 openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 06= 66) =3D 17 > 6929 write(17, "30001 1000 1", 12) =3D 12 > 6929 close(17) =3D 0 > 6929 openat(AT_FDCWD, "/proc/6938/setgroups", O_WRONLY|O_CREAT|O_TRUNC, = 0666) =3D 17 > 6929 write(17, "deny", 4) =3D 4 > 6929 close(17) =3D 0 > 6929 openat(AT_FDCWD, "/proc/6938/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 06= 66) =3D 17 > 6929 write(17, "30000 998 1", 11) =3D 11 > 6929 close(17) =3D 0 > [=E2=80=A6] > 6938 unshare(CLONE_NEWNS|CLONE_NEWUSER) =3D 0 > 6938 write(20, "reinit\n", 7) =3D 7 > 6929 <... read resumed>"reinit\n", 20) =3D 7 > 6938 read(17, <unfinished ...> > 6929 write(4, "gmlo\0\0\0\0+\0\0\0\0\0\0\0| reinitializing UID/GID map= ping of 6938\n\0\0\0\0\0", 64) =3D 64 > 6929 getgid() =3D 998 > 6929 getuid() =3D 1000 > 6929 openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 06= 66) =3D 17 > 6929 write(17, "30001 1000 1", 12) =3D -1 EPERM (Operation not permi= tted) > > Why oh why would we get EPERM the second time? > > These restrictions appear to be respected: > > =E2=80=A2 The data written to uid_map (gid_map) must consist of a sin= =E2=80=90 > gle line that maps the writing process's effective user ID > (group ID) in the parent user namespace to a user ID (group > ID) in the user namespace. > > =E2=80=A2 The writing process must have the same effective user ID as > the process that created the user namespace. > > Or is the user namespace of the parent (6929) not the same as =E2=80=9Cthe > parent user namespace=E2=80=9D? I'm afraid that is indeed what we're running in to: "the parent user namespace" is the one created by clone. And because the parent user namespace is not the root user namespace, we couldn't run newgidmap from within it, even if we still had a process around that was in it. However, at this point, we actually don't need to use newgidmap, because we have CAP_SETGID in the current user namespace... but in order to use the "no restrictions" version of writing to gid_map, it's necessary for the writing process to have CAP_SETGID in the *parent* user namespace (in hindsight, this is what the actual problem was with the original patch - it specified "true" for haveCapSetGID, so it shouldn't have been using newgidmap anyway). This necessarily requires that the writing process is not in the user namespace being initialized, and because it must either be in the namespace being initialized or its parent user namespace, that means it must be in the parent user namespace. Of course, at this point, no processes exist in the parent user namespace. So if you'll bear with the extreme awkwardness, we could fork a helper process immediately prior to calling unshare, which, upon receiving a notification, will initialize the parent process's user namespace. Note that the naming here is going to be inverted for process ancestry and user namespace ancestry: the child process is in the parent user namespace, and the parent process is in the child user namespace. > Thanks for your patience. :-) > > Ludo=E2=80=99. > > PS: The more I use it, the less I can stand this user namespace soup > presented as an =E2=80=9CAPI=E2=80=9D. It certainly has a lot of clauses. I will say, I did some reading of the GNU Mach manual and was awed by how much simpler things could be if every system call dealing with processes just took an explicit task port argument like it does there. The requirement that so many things associated with processes can only be manipulated indirectly, and usually only by the process itself, has caused no end of troubles, and as the number of process-associated attributes in Linux continues to grow, the interactions will likely only get more complicated. It's not the kind of job security that gives any satisfaction. =2D reepca --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmg+8xEXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJwHqwf/Yk5zU/R/UFw9y5s6M9rM/bMK /yyu9yestaRkjJKPb2cpro+hdNUZgSa1qwLiLiri5rk06/zW2NyTephfwRInafD2 99m5PYU3dBN53K+3dPs8TlaYZkqPNXOqdFJHBvDA+nlkq4IqdVCb0QKN7pdEzuxk h14IEHMdJEdePbyBtYhyb17++Kd+Guy8sQBQbEBJNmFFVKv1s3D3Ic3lN+wSSxoq ZgQOlhRVQ6M5OcYKN5c9QAUzgoB0mzs63ILfmnbbtxmvFoYV0xO50hbDb2sQbIrp aQ87ZKtipsydSssO4bOE0F7abAQ4LuMfPZHPPJfbRhMqdC/wbUYjuHHVtQzUkw== =vZqx -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 2 Jun 2025 21:06:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 02 17:06:39 2025 Received: from localhost ([127.0.0.1]:55964 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uMCMh-0004WE-9h for submit <at> debbugs.gnu.org; Mon, 02 Jun 2025 17:06:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53810) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uMCMd-0004Vl-TK for 77862 <at> debbugs.gnu.org; Mon, 02 Jun 2025 17:06:36 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1uMCMV-0003rZ-FN; Mon, 02 Jun 2025 17:06:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=nAJ1n4NYUdoI4BzW6w1QmH4jbm3xAdoku6l83/5vO9A=; b=HugAADAgUBK7caax/G2F Uf4oYZs0bd4jFW80Xh0RvvxLfR2vwJB7myJHXFAJOwuFV+YMFo1i8iStUg3sS0DAbbKZh2se2lSuR F7apWAT4+AJ/R7Iu913cslG4Ap7p6hTozxQ4qYY15dALy78YcKzFJSmdlhAfFnyCj8iA4xG8Q6pC6 jXSP2VXSM05FaAUxqMSKgtjehkqKayFGsLeVK5mXpQVDMGWdqaEec5pmBLcCdwzo5jf+crI3xMyL2 IjQbY7uTJhJ+ip3PwvKBTCglIBGyyqfFCTV+6xCPe50CfQbmrLyaWNDW4G5sypUfn6v7IbKZsg6II ed3CE0WY6lTTig==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Reepca Russelstein <reepca@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <875xhw84w7.fsf@HIDDEN> (Reepca Russelstein's message of "Mon, 19 May 2025 20:09:12 -0500") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN> <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN> <875xhw84w7.fsf@HIDDEN> User-Agent: mu4e 1.12.11; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Quartidi 14 Prairial an 233 de la =?utf-8?Q?R=C3=A9v?= =?utf-8?Q?olution=2C?= jour de l'Acacia Date: Mon, 02 Jun 2025 23:06:08 +0200 Message-ID: <87ecw1onun.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.3 (/) X-Debbugs-Envelope-To: 77862 Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.3 (-) Hey Reepca, Reepca Russelstein <reepca@HIDDEN> writes: > Ludovic Court=C3=A8s <ludo@HIDDEN> writes: [...] >> The attached patch tries to do that, by calling out to =E2=80=98newuidma= p=E2=80=99, and >> under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2= =80=99 group. >> >> It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), bu= t I couldn=E2=80=99t get >> the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the= call that is >> made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80= =9D there. >> >> The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80= =98newgidmap=E2=80=99 setuid >> binary is not longer accessible because we=E2=80=99re already in a chroo= t, so it >> seems that we cannot preserve the GID map. > > ... and even if we had the setuid binary accessible (for example via a > saved file descriptor that could be used with execveat, or a > bind-mount), it wouldn't be of any use at this point because (man > user_namespaces): > > "if either the user or the group ID of the file has no mapping inside > the namespace, the set-user-ID (set-group- ID) bit is silently ignored: > the new program is executed, but the process's effective user (group) ID > is left unchanged." > > Naturally, uid 0 isn't going to be mapped! In fact, more generally, > newuidmap and newgidmap can't ever be used from within an uninitialized > user namespace, since by definition uid 0 isn't yet mapped in it. > > So it falls to the parent process to do the initialization - that is, it > now has to do the initialization twice. Of course, it's going to need > some way of knowing when the second user namespace has been created, and > the child is going to need some way of knowing when it's been > initialized, so we'll need to either use two pipes or switch to using a > socketpair. That makes sense, thanks for explaining! However, I think part of the rules still don=E2=80=99t fit in my head. Her= e=E2=80=99s what I have now (parent is 6929): --8<---------------cut here---------------start------------->8--- 6929 openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666= ) =3D 17 6929 write(17, "30001 1000 1", 12) =3D 12 6929 close(17) =3D 0 6929 openat(AT_FDCWD, "/proc/6938/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 06= 66) =3D 17 6929 write(17, "deny", 4) =3D 4 6929 close(17) =3D 0 6929 openat(AT_FDCWD, "/proc/6938/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666= ) =3D 17 6929 write(17, "30000 998 1", 11) =3D 11 6929 close(17) =3D 0 [=E2=80=A6] 6938 unshare(CLONE_NEWNS|CLONE_NEWUSER) =3D 0 6938 write(20, "reinit\n", 7) =3D 7 6929 <... read resumed>"reinit\n", 20) =3D 7 6938 read(17, <unfinished ...> 6929 write(4, "gmlo\0\0\0\0+\0\0\0\0\0\0\0| reinitializing UID/GID mappi= ng of 6938\n\0\0\0\0\0", 64) =3D 64 6929 getgid() =3D 998 6929 getuid() =3D 1000 6929 openat(AT_FDCWD, "/proc/6938/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666= ) =3D 17 6929 write(17, "30001 1000 1", 12) =3D -1 EPERM (Operation not permitt= ed) --8<---------------cut here---------------end--------------->8--- Why oh why would we get EPERM the second time? These restrictions appear to be respected: =E2=80=A2 The data written to uid_map (gid_map) must consist of a sin= =E2=80=90 gle line that maps the writing process's effective user ID (group ID) in the parent user namespace to a user ID (group ID) in the user namespace. =E2=80=A2 The writing process must have the same effective user ID as the process that created the user namespace. Or is the user namespace of the parent (6929) not the same as =E2=80=9Cthe parent user namespace=E2=80=9D? Thanks for your patience. :-) Ludo=E2=80=99. PS: The more I use it, the less I can stand this user namespace soup presented as an =E2=80=9CAPI=E2=80=9D.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 20 May 2025 01:09:57 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 19 21:09:57 2025 Received: from localhost ([127.0.0.1]:48986 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uHBUS-0006kx-GK for submit <at> debbugs.gnu.org; Mon, 19 May 2025 21:09:57 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]:47128) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <reepca@HIDDEN>) id 1uHBUO-0006kI-RG for 77862 <at> debbugs.gnu.org; Mon, 19 May 2025 21:09:54 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=yYolFOf0Ab7xvB1p7ms7Eabn3RteJLUdQ/ciRP7aiwE=; b=PcDXgblW4Y915grt/3aFj9ZmbC BUH+XcnuCi7dgAvTp6gDLzfWjcFniM2W5YOcOn+iuWz3GiFIMuZI7Ota0YBw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=yYolFOf0Ab7xvB1p7ms7Eabn3RteJLUdQ/ciRP7aiwE=; b=pFeIa117+7P8MiW9VmAijOAqeP /ucxDyaMuppmx2CMiwKge1+HWY62sTa9SHtKpgMyezlvD2GaazzU10eeTNni86kiaBj8aa6qk5Vdu SOokUF++zFmVX6pYWvoMCUOBQfC+kceDd5wlqzww6o9pIz9iIkHEgHF+4b7VUF3pZWLSbxPHnEsBP JD2R0sTCTkXGDBsw/6r5Aa3aoxQtdZxwK8V818jGI4h2TWPZ2XFZJ18UNqTfl2PPAFbuwiqPQFK5l cjL52sNb3oVb837si3lW/eLQlzgWb/KlDNVMYdXWDBp0si0Y3l0ql9D/7zrmhsvoTfr17h6vcHBTP 7nLx30m3fJ2UGNodCpBtL+qaA4x+WK/Bfx2HROhKUhdLUZzxEz1TlvWSO/SF4FeCJoJexUJVfXzVp HHXZWhm367SNbAWVbv95g6NuFPe64dFs4gmHkO+TdssrDf13mRsSCXmd0CMcf8eUZUAGvZ+5U3P+f cV9P4DIQhahGdtfRWaFQYDHiUls0ZlSOBIEkcwUAn19x7n02+W4KvboW+LDNXsmPCqRBwqDx8OYhJ logeeDRPbHAFcRlw1U/4y2QWtxg3AMSy+kjdZ65U30ISbKwc35WwVNZ81nD9d7g8Lyyesog1sCNBL JsfpdLCKyWqJzYXA1QbPVoeD0i/jY3KibBcOFHt/s=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from <reepca@HIDDEN>) id 1uHBUG-0000000044W-2ny3; Mon, 19 May 2025 20:09:46 -0500 From: Reepca Russelstein <reepca@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87jz6c67sf.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 19 May 2025 15:37:20 +0200") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN> <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> <87jz6c67sf.fsf@HIDDEN> Date: Mon, 19 May 2025 20:09:12 -0500 Message-ID: <875xhw84w7.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.5 X-Spam-Bar: / X-Spam-Score-Int: 5 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc: Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite for go (bootstrap) failing [...] Content analysis details: (0.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc: Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite for go (bootstrap) failing [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: russelstein.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 77862 Cc: keinflue <keinflue@HIDDEN>, 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > Hello, > > (Cc: Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite for go (bootstrap) failing [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: russelstein.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > Hello, > > (Cc: Reepca.) > > keinflue <keinflue@HIDDEN> writes: > >> It seems that the "chown to overflowgid" issue is somewhat >> widespread. I also see the testsuite for go (bootstrap) failing in the >> same way. I'd guess most implementations of "chown" system call >> wrappers in various languages will have test cases like this that fail >> to anticipate user namespaces. I will let my system build keep running >> a bit longer and will then post the list of packages I found with log >> excerpts here. > > I think it would be best to support chown-to-supplementary-group even > with the unprivileged daemon (specifically for the case where > guix-daemon runs as a dedicated user, and that this user has one > supplementary group, kvm). > > The attached patch tries to do that, by calling out to =E2=80=98newuidmap= =E2=80=99, and > under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2= =80=99 group. > > It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), but= I couldn=E2=80=99t get > the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the = call that is > made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=9D= there. > > The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=98= newgidmap=E2=80=99 setuid > binary is not longer accessible because we=E2=80=99re already in a chroot= , so it > seems that we cannot preserve the GID map. ... and even if we had the setuid binary accessible (for example via a saved file descriptor that could be used with execveat, or a bind-mount), it wouldn't be of any use at this point because (man user_namespaces): "if either the user or the group ID of the file has no mapping inside the namespace, the set-user-ID (set-group- ID) bit is silently ignored: the new program is executed, but the process's effective user (group) ID is left unchanged." Naturally, uid 0 isn't going to be mapped! In fact, more generally, newuidmap and newgidmap can't ever be used from within an uninitialized user namespace, since by definition uid 0 isn't yet mapped in it. So it falls to the parent process to do the initialization - that is, it now has to do the initialization twice. Of course, it's going to need some way of knowing when the second user namespace has been created, and the child is going to need some way of knowing when it's been initialized, so we'll need to either use two pipes or switch to using a socketpair. Of some concern also is the ominous statement in "man newgidmap" that "Note that newgidmap may be used only once for a given process." I have no idea how or why it would enforce this, and I'm going to assume for now that what is actually meant is that "a given user namespace's gid mapping cannot be written more than once", which is just a restatement of what "man user_namespaces" says. It's too bad that the user namespaces implementation doesn't allow unprivileged users to map their own supplementary groups. I can't think of any reason not to - a user can already switch their effective gid to any supplementary gid they have by creating and executing a setgid program for that gid. Are there any operations that require both a capability /and/ a (mapped) egid check to pass? It wouldn't surprise me if the ultimate reason is that the kernel devs wanted to reuse code for uid_map and gid_map, and that it's easier to verify one line than try to verify an arbitrary set of gids, including ones in potentially-large ranges. It's just an unfortunate consequence that this means that all unprivileged user namespaces have to carry gibberish supplementary groups around that they can "use" but not comprehend. But as long as /etc/subgid is configured to allow each user to map all of the groups they are a member of, it can at least be worked around. =2D reepca --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmgr1jgXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJyF3gf+K8s3yXefYAsIMYSsvCR3S3m4 kex71eAnQZzjmoqutb8Z3joJpAqvEyD7qc0UDBkisUpwgfSnQWU1RG8kKhyDghEy EHr3r9KsoORfn9rcqoBnHjKy2oYDDFK0Oigio+MS+86XU+hRhukZiw+CIfJ1FkaZ 0emMWnnlCJzDABJibQ8Jvh/Lu6PxZPgfU6IvBFwwIeB5BzZHswEGdRGjeMXbWj/v h3Z64nkgGXbHEw7kOyGQAUPpgBRYVE3Y9KeyJ6BHZ78/NM886dCdL7vP0KhZJORQ N7UeoEKcOQFbycG08D/x/VVYQp+K5PbM/uU8kK0yVIEl+Yya5JQCS99mLd0CWw== =HPkl -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 19 May 2025 13:54:55 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 19 09:54:54 2025 Received: from localhost ([127.0.0.1]:39978 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uH0xB-0000XT-N7 for submit <at> debbugs.gnu.org; Mon, 19 May 2025 09:54:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55884) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uH0x9-0000Wk-1J for 77862 <at> debbugs.gnu.org; Mon, 19 May 2025 09:54:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1uH0x0-00011S-55; Mon, 19 May 2025 09:54:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=0Qy1Lzc/YtsCwFZtJCHP7+rknasBTuJkYVpsW7J/jUY=; b=Ap3yG8QvYPGglEd2MUtu MmKs7G1pjCBcdr+rSMKAKGeEebMsv8IxUIrN9wil2TyS0wa/LRZcrTAknIC+hLx07+Hst/Rn3oHjn AdeQwn8ksf/aCV/cVIQ2p3xth1HY1dANtMZk5Yr+e9WFpPdyzcDX96DK4hmeEems4xoofil5LvgVp ujTdPq8pisSOj4dJvoKnLukjH+hykseo2XNsG5DO0W1iMz2bv+J6Lg6eFWdfQCXBnvAfnPzrRvEQB k9TZhF6KwroaDjaRPJNRu0aEiyDRBPD2xONNuk4J334kjN5x9eXzYJ+cdxxKl0KWdKLeF6oMhQkBZ E5IYArAShD8FFg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> (keinflue@HIDDEN's message of "Sat, 03 May 2025 19:05:34 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN> <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: =?utf-8?Q?D=C3=A9cadi?= 30 =?utf-8?Q?Flor=C3=A9al?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la Houlette Date: Mon, 19 May 2025 15:37:20 +0200 Message-ID: <87jz6c67sf.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org, Reepca Russelstein <reepca@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, (Cc: Reepca.) keinflue <keinflue@HIDDEN> writes: > It seems that the "chown to overflowgid" issue is somewhat > widespread. I also see the testsuite for go (bootstrap) failing in the > same way. I'd guess most implementations of "chown" system call > wrappers in various languages will have test cases like this that fail > to anticipate user namespaces. I will let my system build keep running > a bit longer and will then post the list of packages I found with log > excerpts here. I think it would be best to support chown-to-supplementary-group even with the unprivileged daemon (specifically for the case where guix-daemon runs as a dedicated user, and that this user has one supplementary group, kvm). The attached patch tries to do that, by calling out to =E2=80=98newuidmap= =E2=80=99, and under the assumption that /etc/subgid allows mapping the =E2=80=98kvm=E2=80= =99 group. It does the job (a build process can chown to =E2=80=98kvm=E2=80=99), but I= couldn=E2=80=99t get the GID mapping preserved across the =E2=80=98unshare=E2=80=99 call (the ca= ll that is made to =E2=80=9Clock=E2=80=9D mounts), hence the =E2=80=9C#if 0=E2=80=9D t= here. The problem is that when we call =E2=80=98unshare=E2=80=99, the =E2=80=98ne= wgidmap=E2=80=99 setuid binary is not longer accessible because we=E2=80=99re already in a chroot, = so it seems that we cannot preserve the GID map. Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index a1f39d9a8b..83754b06bd 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -13,6 +13,7 @@ #include <map> #include <sstream> #include <algorithm> +#include <iostream> #include <limits.h> #include <time.h> @@ -23,6 +24,7 @@ #include <sys/utsname.h> #include <fcntl.h> #include <unistd.h> +#include <grp.h> #include <errno.h> #include <stdio.h> #include <cstring> @@ -1635,15 +1637,77 @@ static const gid_t guestGID = 30000; /* Initialize the user namespace of CHILD. */ static void initializeUserNamespace(pid_t child, uid_t hostUID = getuid(), - gid_t hostGID = getgid()) + gid_t hostGID = getgid(), + const std::vector<std::pair<gid_t, gid_t>> extraGIDs = {}, + bool haveCapSetGID = false) { writeFile("/proc/" + std::to_string(child) + "/uid_map", (format("%d %d 1") % guestUID % hostUID).str()); - writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + if (!haveCapSetGID && !extraGIDs.empty()) { + try { + Strings args = { + std::to_string(child), + std::to_string(guestGID), std::to_string(hostGID), "1" + }; + for (auto &pair: extraGIDs) { + args.push_back(std::to_string(pair.second)); + args.push_back(std::to_string(pair.first)); + args.push_back("1"); + } + runProgram("newgidmap", true, args); + printMsg(lvlChatty, + format("mapped %1% extra GIDs into namespace of PID %2%") + % extraGIDs.size() % child); + return; + } catch (const ExecError &e) { + ignoreException(); + } + std::cerr << "here i am\n"; + } - writeFile("/proc/" + std::to_string(child) + "/gid_map", - (format("%d %d 1") % guestGID % hostGID).str()); + if (!haveCapSetGID) + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + auto content = (format("%d %d 1\n") % guestGID % hostGID).str(); + if (haveCapSetGID) { + for (auto &mapping: extraGIDs) { + content += (format("%d %d 1\n") % mapping.second % mapping.first).str(); + } + } + writeFile("/proc/" + std::to_string(child) + "/gid_map", content); +} + +/* Return the ID of the "kvm" group or -1 if it does not exist or is not part + of the current users supplementary groups. */ +static gid_t kvmGID() +{ + struct group *kvm = getgrnam("kvm"); + if (kvm == NULL) return -1; + + size_t max = 64; + gid_t groups[max]; + int count = getgroups(max, groups); + if (count < 0) return -1; + + for (int i = 0; i < count; i++) { + if (groups[i] == kvm->gr_gid) return kvm->gr_gid; + } + + return -1; +} + +static gid_t guestKVMGID = 40000; + +static std::vector<std::pair<gid_t, gid_t>> kvmGIDMapping() +{ + gid_t kvm = kvmGID(); + if (kvm == -1) + return {}; + else { + std::pair<gid_t, gid_t> mapping(kvm, guestKVMGID); + return { mapping }; + } } void DerivationGoal::startBuilder() @@ -2016,8 +2080,9 @@ void DerivationGoal::startBuilder() readiness.readSide.close(); if ((flags & CLONE_NEWUSER) != 0) { /* Initialize the UID/GID mapping of the child process. */ - initializeUserNamespace(pid); - writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + auto extraGIDs = kvmGIDMapping(); + initializeUserNamespace(pid, getuid(), getgid(), extraGIDs); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); } readiness.writeSide.close(); } else @@ -2269,10 +2334,12 @@ void DerivationGoal::runChild() auto uid = getuid(); auto gid = getgid(); +#if 0 // FIXME! if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) throw SysError(format("creating new user and mount namespaces")); - initializeUserNamespace(getpid(), uid, gid); + auto extraGIDs = { std::pair<gid_t, gid_t>(guestKVMGID, guestKVMGID) }; + initializeUserNamespace(getpid(), uid, gid, extraGIDs, true); /* Check that mounts within the build environment are "locked" together and cannot be separated from within the build @@ -2282,6 +2349,7 @@ void DerivationGoal::runChild() check that this is what we get. */ int ret = umount(tmpDirInSandbox.c_str()); assert(ret == -1 && errno == EINVAL); +#endif } } #endif diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 56f116046c..b2c9b9f639 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -1081,9 +1081,11 @@ string runProgram(Path program, bool searchPath, const Strings & args) /* Wait for the child to finish. */ int status = pid.wait(true); - if (!statusOk(status)) + std::cerr << "status not ok: " << status << "\n"; + if (!statusOk(status)) { throw ExecError(format("program `%1%' %2%") % program % statusToString(status)); + } return result; } --=-=-=--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 3 May 2025 19:05:45 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 15:05:45 2025 Received: from localhost ([127.0.0.1]:43461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uBIBE-0000Rh-Kq for submit <at> debbugs.gnu.org; Sat, 03 May 2025 15:05:44 -0400 Received: from mout02.posteo.de ([185.67.36.66]:43373) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1uBIBB-0000RO-8R for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 15:05:43 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id E637B240101 for <77862 <at> debbugs.gnu.org>; Sat, 3 May 2025 21:05:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1746299134; bh=p7yeCK0yfA1doR62cxlFoU+T1QbJewJsZRggI6q8guY=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=mHoA4ODw8qfOFsY1VnWEJTgDq3X9IVvlpaS39hvzyhyciPkxbPQmWH7LOHfE0+srg mAgfYchNg2v2stBjmHko9B88xBne+vklk1mxDi/6pvt+e4N5dZVqAGOcH/xIoLsK/O HC0wylHUBHoHmbvXf2A0ieSTnlu5WYHtPw8oFDB2PvJID3cznIThRP28cWk2sM4qO3 11m4ob0e3Tx1VOnIL8dMc0cbyh2fSpr1vJhacVdnWi0GZm7H1mlc/WV7OrX9BNBLwu FeC6q/FpFRkb9PoISNEyCSo2LudtS0pMM4BEWjC0gxyOL7um374mWLuAMBPc9utWjR 9+KArSIPDY5Dg== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zqcgf2hRKz6twK; Sat, 3 May 2025 21:05:34 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 03 May 2025 19:05:34 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87r0158ye6.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> <87r0158ye6.fsf@HIDDEN> Message-ID: <e153f8b1b38b01c93bc29d11091091a3@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On 03.05.2025 18:14, Ludovic Court=C3=A8s wrote: > Hi, >=20 > keinflue <keinflue@HIDDEN> writes: >=20 >> Unfortunately the python package also fails with equivalent test >> failures. It also has another failure mode where it expects a syscall >> to change ownership to the overflow uid to result in EPERM, while it >> will produce EINVAL (which happens even if there are no supplementary >> groups). Should I post the details here or open a new issue? >=20 > I think you can post it here. Perhaps we should eventually keep all=20 > the > issues in this category together in a text file somewhere, with log > excerpts: that would allow us to better assess the packages affected by > this difference between the privileged and the unprivileged daemon is. It seems that the "chown to overflowgid" issue is somewhat widespread. I=20 also see the testsuite for go (bootstrap) failing in the same way. I'd=20 guess most implementations of "chown" system call wrappers in various=20 languages will have test cases like this that fail to anticipate user=20 namespaces. I will let my system build keep running a bit longer and=20 will then post the list of packages I found with log excerpts here. >=20 > I wonder if we should set up a separate Cuirass instance or something > building everything with the unprivileged daemon. That would probably help since I am going to only test the packages that=20 I am using myself in order to evaluate switching to the unprivileged=20 guix-daemon. I don't have the resources to do more. > Thanks, > Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 3 May 2025 16:32:37 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 12:32:37 2025 Received: from localhost ([127.0.0.1]:42808 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uBFn3-0000hO-9J for submit <at> debbugs.gnu.org; Sat, 03 May 2025 12:32:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50518) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uBFmx-0000g5-Jk for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 12:32:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1uBFms-0007Lr-3q; Sat, 03 May 2025 12:32:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=nKaKoJcVdJmtccnSIqL/+WEONgLxgL7fWoiyBOLBm08=; b=LwcY2c2qFNF5t4Mp462r QTx/Ibe1xU1S/ee/zgJOGUaRiAeSex+z0O5dlpytAOnNLTYl/dq8Ytza1CBeAdWLXiIGl8NKoqmLX f/+iFQlQrT8zqGaLaGg/ErUbIewpMwPFTiUoRw5ZoOIfdzk+A8Ac1i6LUqrxqtlf2+2LULNpJYzdS +luv0oanpUomplM6+CYr/Z+5vLFpm8AW34sDOrAqt8f9oD5bLEgWc12e5B14INEKJMQoJONj5Jmfh k49d3HD+pDkmkVIs2HOFZuW61ZNwq2ID85NgwMlcqfr5tgaG4ysa1HUIrbStZmK4bQfaNcBBg2zds 9+vUsepxtGJivg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> (keinflue@HIDDEN's message of "Sat, 03 May 2025 11:00:28 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Quartidi 14 =?utf-8?Q?Flor=C3=A9al?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du =?utf-8?Q?Cham=C3=A9risier?= Date: Sat, 03 May 2025 18:14:25 +0200 Message-ID: <87r0158ye6.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, keinflue <keinflue@HIDDEN> writes: > Unfortunately the python package also fails with equivalent test > failures. It also has another failure mode where it expects a syscall > to change ownership to the overflow uid to result in EPERM, while it > will produce EINVAL (which happens even if there are no supplementary > groups). Should I post the details here or open a new issue? I think you can post it here. Perhaps we should eventually keep all the issues in this category together in a text file somewhere, with log excerpts: that would allow us to better assess the packages affected by this difference between the privileged and the unprivileged daemon is. >> I will see whether I can report the issue(s) upstream to coreutils and >> gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a >> similar fix was applied to handle special gids on MacOS. Unfortunately >> the default Linux overflow gid is not included in that list. In any >> case, the patch needs to be adjusted for newer coreutils versions. > > coreutils already responded and fixed the issue > (https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78225). That was fast! > I still have to report to gnulib, but wanted to try building the > standalone gnulib package first, which caused me to trip over the > python issues. Alright. Thanks a lot for this very important work. I wonder if we should set up a separate Cuirass instance or something building everything with the unprivileged daemon. Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 3 May 2025 11:00:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 03 07:00:39 2025 Received: from localhost ([127.0.0.1]:38656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uBAbn-0004Oy-3D for submit <at> debbugs.gnu.org; Sat, 03 May 2025 07:00:39 -0400 Received: from mout01.posteo.de ([185.67.36.65]:39115) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1uBAbj-0004Oj-8o for 77862 <at> debbugs.gnu.org; Sat, 03 May 2025 07:00:37 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id F29C9240028 for <77862 <at> debbugs.gnu.org>; Sat, 3 May 2025 13:00:28 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1746270028; bh=JX5IVi7T1NanZc9Hta0mApbUzBFhaMqV6EmbRdeo4Lk=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=EKOoz/w6xbvXp2wXRBv+AW+1fpg/Naf/pFl4/y8eno/KuCJ3G14RPkrmUmD8vRqc9 BODqLVIdtiUQVzClwjmQ8YOgFccgEAg7LjA1QCN6YmHkv5Srjx6c06RD/i+8RkSynp hej4UnbF2ljs29XnWk997kaV+KsQ//Z9mM5tAQ+rUkFN3lu52i8IUy/IxK064q3r1k OebrDoAb0v1J1VCM8IeA4FQc3Vc+Tl+UyEH9UZvMgAND0laP1S49FMWvieazXi7VRM e2isiRotDPiLaOKpQh4HHXWzt6kvVsDHff+ZrELVejFU03qCYSf39XMHBcm3/twcm/ UmQP7n6GZQ0pQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZqPvw3SqDz9rxN; Sat, 3 May 2025 13:00:28 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 03 May 2025 11:00:28 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> Message-ID: <3d2f28f5fa7d133f97988a9f05cf3942@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > It seems that now the system build proceeds much further (still=20 running). Unfortunately the python package also fails with equivalent test=20 failures. It also has another failure mode where it expects a syscall to=20 change ownership to the overflow uid to result in EPERM, while it will=20 produce EINVAL (which happens even if there are no supplementary=20 groups). Should I post the details here or open a new issue? > I will see whether I can report the issue(s) upstream to coreutils and > gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a > similar fix was applied to handle special gids on MacOS. Unfortunately > the default Linux overflow gid is not included in that list. In any > case, the patch needs to be adjusted for newer coreutils versions. coreutils already responded and fixed the issue=20 (https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78225). I still have to report to gnulib, but wanted to try building the=20 standalone gnulib package first, which caused me to trip over the python=20 issues. >>=20 >> Thanks, >> Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 3 May 2025 02:16:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 02 22:16:53 2025 Received: from localhost ([127.0.0.1]:35762 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uB2Qu-0002Q1-Sh for submit <at> debbugs.gnu.org; Fri, 02 May 2025 22:16:53 -0400 Received: from mout02.posteo.de ([185.67.36.66]:55569) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1uB2Qp-0002Pk-I5 for 77862 <at> debbugs.gnu.org; Fri, 02 May 2025 22:16:51 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 52DBF240101 for <77862 <at> debbugs.gnu.org>; Sat, 3 May 2025 04:16:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1746238601; bh=mKHZSbhYxXa6lKi1mc6GQdm6OUzhqVmmZhOMYXdmao4=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: From; b=WDu8yzsWj7lbUkVMQBAHFVhPLazIGqmUK2evf00TwqWnmzi2nLfPoC/D381MC2EYv 4SD97sQWcFrzz9kg2CdmDxUcMsnXPKXW4k57prnj8nBfGQmxlrJvbGgu6XFuaKYs68 kU9p4Zbna66qG9AnWBeuib/pah8l9wfaMe8wKRQd+8R+PEssPIHMPb1iEQIL3Ppj/f q7oFGD3m0LGWGCffdWv7AIK4dkUocfzexSaW89P9UIqdz/e85FasjkQ58GPgbWWCP0 USYYAphy+YcOvdUqYSBhgS7Gz1MLx2qp0gFbSn6eqFPlvmoXPyCZyRgVWPsTOw0vkZ TzZGye+pTFqMw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZqBHX60bkz9rxD; Sat, 3 May 2025 04:16:40 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 03 May 2025 02:16:40 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <875xijc99o.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> <875xijc99o.fsf@HIDDEN> Message-ID: <22a7f1de383bd8bd4521c8a4b78993f3@HIDDEN> Content-Type: multipart/mixed; boundary="=_8e49de0197f63d5dcb44c76abf538139" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) --=_8e49de0197f63d5dcb44c76abf538139 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8; format=flowed Hi, On 02.05.2025 17:38, Ludovic Court=C3=A8s wrote: > Hello, >=20 > keinflue <keinflue@HIDDEN> writes: >=20 >> I also had another look and I missed that effectively CAP_SETGID is >> required in the _parent_ namespace in order to use setgroups (because >> otherwise writing "deny" to /proc/[pid]/setgroups is essentially >> forced). >>=20 >> But the same seems to also be required to map more than the own >> effective uid/gid of the process into the namespace. >=20 > Right, user_namespaces(7) makes it clear: >=20 > =E2=80=A2 The data written to uid_map (gid_map) must consist of a sin= =E2=80=90 > gle line that maps the writing process's effective user ID > (group ID) in the parent user namespace to a user ID (group > ID) in the user namespace. >=20 >> So I guess neither solution of dropping or mapping supplementary >> groups will work completely unprivileged and the only solution is to >> modify or disable the coreutils test case. >=20 > Yes, I came to this conclusion as well. >=20 > I believe the attached Coreutils patch should fix that (yet to be > tested). Would be worth reporting upstream as well because in a way > it=E2=80=99s a failure of the test framework. I tried to test the patch: I had trouble with the normal origin patches mechanism. The first=20 failing coreutils package is coreutils-final from commencement.scm and I=20 didn't manage to properly replace that package without a dependency on=20 the unpatched package remaining. Instead I wrote an equivalent=20 substitute* in a post-unpack phase. The test cases mentioned earlier now succeeded, but another testsuite=20 for gnulib (also as part of coreutils) failed afterwards. The failure=20 cause is the same, except this time written in C sources. I also fixed=20 that via substitute* clauses. See attached patch. This unfortunately=20 causes rebuilds of the coreutils-mesboot (and coreutils-boot0) packages=20 as well, although those do not perform the tests. It seems that now the system build proceeds much further (still=20 running). I will see whether I can report the issue(s) upstream to coreutils and=20 gnulib. I noticed that in coreutils 9.2 (guix is currently 9.1) a=20 similar fix was applied to handle special gids on MacOS. Unfortunately=20 the default Linux overflow gid is not included in that list. In any=20 case, the patch needs to be adjusted for newer coreutils versions. >=20 > Thanks, > Ludo=E2=80=99. --=_8e49de0197f63d5dcb44c76abf538139 Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name=coreutils.diff Content-Disposition: attachment; filename=coreutils.diff; size=838 ZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy9iYXNlLnNjbSBiL2dudS9wYWNrYWdlcy9iYXNlLnNj bQppbmRleCA0Yzk2ZmZhMWE0Li41YjAxNGRiZjAxIDEwMDY0NAotLS0gYS9nbnUvcGFja2FnZXMv YmFzZS5zY20KKysrIGIvZ251L3BhY2thZ2VzL2Jhc2Uuc2NtCkBAIC01MzIsNiArNTMyLDExIEBA IChkZWZpbmUtcHVibGljIGNvcmV1dGlscwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAiIHRlc3QtdXRpbWVuc2F0IikpKQogICAgICAgICAgICAgJygpKQogICAgICAgIzpwaGFz ZXMgKG1vZGlmeS1waGFzZXMgJXN0YW5kYXJkLXBoYXNlcworCQkgKGFkZC1hZnRlciAndW5wYWNr ICdwYXRjaAorICAgICAgICAgICAgICAgICAgIChsYW1iZGEgXworICAgICAgICAgICAgICAgICAg ICAgKHN1YnN0aXR1dGUqICJnbnVsaWItdGVzdHMvdGVzdC1jaG93bi5oIiAoKCJnaWRzX2NvdW50 ID0uKiIpICJnaWRzX2NvdW50ID0gMTtcbiIpKQorICAgICAgICAgICAgICAgICAgICAgKHN1YnN0 aXR1dGUqICJnbnVsaWItdGVzdHMvdGVzdC1sY2hvd24uaCIgKCgiZ2lkc19jb3VudCA9LioiKSAi Z2lkc19jb3VudCA9IDE7XG4iKSkKKyAgICAgICAgICAgICAgICAgICAgIChzdWJzdGl0dXRlKiAi aW5pdC5jZmciICgoImdyb3Vwcz0uKiIpICJncm91cHM9XG4iKSkpKQogICAgICAgICAgICAgICAg ICAoYWRkLWJlZm9yZSAnYnVpbGQgJ3BhdGNoLXNoZWxsLXJlZmVyZW5jZXMKICAgICAgICAgICAg ICAgICAgICAobGFtYmRhIF8KICAgICAgICAgICAgICAgICAgICAgIDs7ICdzcGxpdCcgdXNlcyBl aXRoZXIgJFNIRUxMIG9yIC9iaW4vc2guICBTZXQgJFNIRUxMIHNvCg== --=_8e49de0197f63d5dcb44c76abf538139--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 2 May 2025 20:13:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 02 16:13:48 2025 Received: from localhost ([127.0.0.1]:33678 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uAwlX-0008UQ-Jx for submit <at> debbugs.gnu.org; Fri, 02 May 2025 16:13:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52644) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uAwlU-0008Tp-61 for 77862 <at> debbugs.gnu.org; Fri, 02 May 2025 16:13:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1uAwlO-0007m5-5x; Fri, 02 May 2025 16:13:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=CtgWaSLZ9dlAtR3GeQkkd/jTvhjHjkjOlZeEDNSMEv4=; b=ZAUHia7GVOrCU2E0b3GU artif5ayidzODja1UDv5NqvQjHHiofGh3sGa2IUcy7GhsVt3NQfmAzTIM2F0hqYqpFtARQyotAynG pb6DxDbbH4gcbqWU2C6TTUCQuYLLRe3KNH8erii6UdVSVCrgRw5f3aQnkYIODtSGhsM/zUPn4YtQr c/AFHBkvPOrDYnHJZpfEEMVOYSHbvKxNAQ2mCtps4j41dSdtOFC9FQ+K8QfD6y4CfwQ24KhAi4aL0 mUDP7Vax+GZzq8022CuJ5zHebD3MKle9r88/+tzq0/Uj7GVe+Org/SycmF+mqTQ+q+TMozMqK+G5+ iKitvYJezVbLnw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> (keinflue@HIDDEN's message of "Sat, 26 Apr 2025 11:08:57 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Tridi 13 =?utf-8?Q?Flor=C3=A9al?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du =?utf-8?Q?B=C3=A2ton-d'or?= Date: Fri, 02 May 2025 17:38:59 +0200 Message-ID: <875xijc99o.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -1.2 (-) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.2 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, keinflue <keinflue@HIDDEN> writes: > I also had another look and I missed that effectively CAP_SETGID is > required in the _parent_ namespace in order to use setgroups (because > otherwise writing "deny" to /proc/[pid]/setgroups is essentially > forced). > > But the same seems to also be required to map more than the own > effective uid/gid of the process into the namespace. Right, user_namespaces(7) makes it clear: =E2=80=A2 The data written to uid_map (gid_map) must consist of a sin=E2= =80=90 gle line that maps the writing process's effective user ID (group ID) in the parent user namespace to a user ID (group ID) in the user namespace. > So I guess neither solution of dropping or mapping supplementary > groups will work completely unprivileged and the only solution is to > modify or disable the coreutils test case. Yes, I came to this conclusion as well. I believe the attached Coreutils patch should fix that (yet to be tested). Would be worth reporting upstream as well because in a way it=E2=80=99s a failure of the test framework. Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/init.cfg b/init.cfg index 856aa2ee7..e19ec5a31 100644 --- a/init.cfg +++ b/init.cfg @@ -488,7 +488,12 @@ require_membership_in_two_groups_() { test $# = 0 || framework_failure_ - groups=${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)} + # Always pretend this user account is not a member of any + # supplementary group. This avoids wrong expectations from tests + # when the supplementary group is the overflow GID as is the case + # when 'guix-daemon' runs as an unprivileged user that is part of + # supplementary groups such as 'kvm'. + groups= case "$groups" in *' '*) ;; *) skip_ 'requires membership in two groups --=-=-=--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 11:09:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 07:09:10 2025 Received: from localhost ([127.0.0.1]:58644 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u8dPB-00009m-JH for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:09:10 -0400 Received: from mout02.posteo.de ([185.67.36.66]:58019) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u8dP8-00008w-H7 for 77862 <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:09:07 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id F4045240101 for <77862 <at> debbugs.gnu.org>; Sat, 26 Apr 2025 13:08:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1745665738; bh=gPb5rM9tVlld2zkLlzDJ7wFNh0Ljkwx5M8zWiYQX/r8=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=fORpmyYi9AjKVvjW2tAAngHupJ/AqSzXmoaHNHu1G3rNlGxzPdb/8U24kpAr9HV3q wRXhXwa2ah+24+utvTUJZDni0XYG6hDJ8S6YAg+6eFjRgYiQo2878SeJUkZEBl0+rK hK2qBcgkwo1HsiDKZvFiejuQ0ZJMmUCrz9vM3vOSLhd7cBkL98oqntB64mVk7OIepO l8e9n6PHUNXJKlPAkFFYk7KlHePUBb41gOxGrBvcBD2aS7TWHjoLQ+VAhL+V6yrgVO grs0s/UTY3mNflhQ0EXZULkQRVusIJSif1f8NfSg4mcHu23TvqCZE6F8SWSJdwOEI7 FUCTkbyQYy5Fw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zl6Qy27rmz9rxK; Sat, 26 Apr 2025 13:08:57 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 26 Apr 2025 11:08:57 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87h62b9uhg.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> <87h62b9uhg.fsf@HIDDEN> Message-ID: <657fe5f89e0b1fd4792028ae2d55bbc5@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, On 26.04.2025 10:50, Ludovic Court=C3=A8s wrote: >> If there is no supplementary group reported by getgroups at all, then >> coreutils just skips the test and it is ok again. Probably the >> coreutils test case should remove any gid reported by getgroups that >> is equal to the overflow gid before making that decision. >>=20 >> Dropping all supplementary groups from the build process (after >> unshare and before writing "deny" to /proc/pid/setgroups) would make >> it so that this test case is always skipped by having getgroups only >> report 30000, however that would also drop the kvm group as mentioned >> above and is also not permitted in all environments (e.g. when the >> parent namespace already set /proc/[pid]/setgroups to "deny"). >>=20 >> So I think that instead either all supplementary groups of the user or >> at least the kvm group specifically needs to be mapped via >> /proc/[pid]/gid_map. When doing so getgroups would report 30000 and >> 984 (assuming identity gid map for 984) in your test case above and >> the coreutils test case would work again, because >>=20 >> chgrp 984 testfile >>=20 >> would then succeed with 984 mapping back to the host namespace to a >> supplementary group of the process. >=20 > Having reread user_namespaces(7), I don=E2=80=99t think we can change the= set=20 > of > supplementary groups at all: that effectively requires root privileges. >=20 > So the best we can do is map the =E2=80=9Ckvm=E2=80=9D group inside the u= ser namespace. I also had another look and I missed that effectively CAP_SETGID is=20 required in the _parent_ namespace in order to use setgroups (because=20 otherwise writing "deny" to /proc/[pid]/setgroups is essentially=20 forced). But the same seems to also be required to map more than the own=20 effective uid/gid of the process into the namespace. Mapping more uids/gids is otherwise usually handled by a setuid utility=20 (newuidmap, newgidmap) I think. So I guess neither solution of dropping or mapping supplementary groups=20 will work completely unprivileged and the only solution is to modify or=20 disable the coreutils test case. And mapping only kvm wouldn't be sufficient either, unless only that=20 specific group would be supported. All supplementary groups of the=20 process must be mapped for the test case to succeed (or at least one of=20 them, I haven't checked by which rule the test cases chooses the gid for=20 the test scenario from among the supplementary gids). Best, keinflue
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 09:40:44 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 05:40:44 2025 Received: from localhost ([127.0.0.1]:58232 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u8c1b-0003On-Fz for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 05:40:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59028) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u8c1Z-0003OU-Gs for 77862 <at> debbugs.gnu.org; Sat, 26 Apr 2025 05:40:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1u8c1S-00040P-Bm; Sat, 26 Apr 2025 05:40:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=rgXIfIGUY9WIp5wEIj7SOpHRcn0ELZmR+f4EAAwz5VI=; b=TzPll0T2tuvVmcJ95YNY HnGaa3ss6RMcpWt//hMI0VQaCMAovm5n89xE4+Xs+a2ORx3FlENak+++NUCF/F8oIY0W3+muvhCkE DvEcFyMaLvYOZTQ+W6qiJ+pTVzXYxG+jbQibhPcMA1uFPbzKsFvuTS5OYNAbfSaMThvqQ0NtffHgk FbvTPXJ2udFF0f2XtZsDjAvyVzXbog7iKUPKJiMGECJNhA8aQjxvFJmmgH8LL8JWImfFbqiC57a0S QFwNHtcgxYEJtH5bZkqaiXCkqTyueT3ZNxvUdkvEQELroWP4KaWspcFd2IMupce/evUE2BRiZ8HBP NFgBqg4rqYMkpw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> (keinflue@HIDDEN's message of "Sat, 26 Apr 2025 00:23:01 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Septidi 7 =?utf-8?Q?Flor=C3=A9al?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du Muguet Date: Sat, 26 Apr 2025 10:50:51 +0200 Message-ID: <87h62b9uhg.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, keinflue <keinflue@HIDDEN> writes: >> 2. I=E2=80=99m confused as to what makes the Coreutils test suite fail. > > The result from getgroups includes both the primary gid 30000 and a > supplementary gid 65534 (where the repeated 65534 are the overflow gid > produced by viewing supplementary gids that aren't mapped into the > user namespace via /proc/[pid]/gid_map). > Coreutils sees this and so assumes that it can do the equivalent of > > touch testfile > chgrp 65534 testfile > > to create a file owned by group 30000 initially and to then change > group ownership of that file to 65534. Normally an unprivileged user > is allowed to change group ownership of files they own between groups > that they are member of, so this would always succeed outside a user > namespace context. > > However, any uid/gid used inside the user namespace is translated back > to the host namespace via the uid/gid_map before permission > checks. But in this case because 65534 doesn't map back to any gid in > the host namespace, the syscall will fail. Oh right, got it. > If there is no supplementary group reported by getgroups at all, then > coreutils just skips the test and it is ok again. Probably the > coreutils test case should remove any gid reported by getgroups that > is equal to the overflow gid before making that decision. > > Dropping all supplementary groups from the build process (after > unshare and before writing "deny" to /proc/pid/setgroups) would make > it so that this test case is always skipped by having getgroups only > report 30000, however that would also drop the kvm group as mentioned > above and is also not permitted in all environments (e.g. when the > parent namespace already set /proc/[pid]/setgroups to "deny"). > > So I think that instead either all supplementary groups of the user or > at least the kvm group specifically needs to be mapped via > /proc/[pid]/gid_map. When doing so getgroups would report 30000 and > 984 (assuming identity gid map for 984) in your test case above and > the coreutils test case would work again, because > > chgrp 984 testfile > > would then succeed with 984 mapping back to the host namespace to a > supplementary group of the process. Having reread user_namespaces(7), I don=E2=80=99t think we can change the s= et of supplementary groups at all: that effectively requires root privileges. So the best we can do is map the =E2=80=9Ckvm=E2=80=9D group inside the use= r namespace. > From a point of reproducibility and information leakage into the build > container I think however that it would be preferable to not retain > supplementary groups if possible. In contrast to the privileged build > with a distinct build user that the can be given desired supplementary > groups at will, the unprivileged environment may be one where the > supplementary groups of the user running the daemon can't easily be > changed to what is supposed to be seen in the build environment. I agree, though in practice, the daemon will usually run under a dedicated user anyway: this is what =E2=80=98guix-install.sh=E2=80=99 does = on other distros, and this is what happens with (privileged? #t) on Guix System. In these cases, there=E2=80=99d be no observable difference. The observable difference (namely getgroups(2) returning a list of unmapped GIDs) would be when people run the daemon as their own user, which is currently inconvenient. > - I also noticed that the build container /etc/group is written with > 65534 assumed as overflow gid. I am not sure whether anyone actually > does this, but the overflow uid/gid are technically configurable > (and retrievable) via sysctl entries > (/proc/sys/kernel/overflow(uid|gid)). 65534 is just the default > value. Note that the =E2=80=9Cnobody=E2=80=9D UID in /etc/passwd dates back to bef= ore the unprivileged daemon implementation. It just happens to match the default overflow UID, but I agree we should use the right one here. > - I also noticed that the operating-system defaults do not write an > entry for the overflow gid to /etc/group (while they do for the > overflow uid to /etc/passwd). I think such an entry should exist by > default as well. The entry for /etc/passwd also assumes the default > overflow uid of 65534. This isn't only relevant for a user namespace > context, but also file systems that can't map the whole range of > Linux uids/gids. I=E2=80=99m not sure this needs to be changed because it=E2=80=99s not all = that different from the preexisting situation where =E2=80=9Ckvm=E2=80=9D would = not have an entry in /etc/group. Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 26 Apr 2025 00:23:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 25 20:23:14 2025 Received: from localhost ([127.0.0.1]:55234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u8TK6-0007DF-1l for submit <at> debbugs.gnu.org; Fri, 25 Apr 2025 20:23:14 -0400 Received: from mout01.posteo.de ([185.67.36.65]:43271) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u8TK3-0007Cq-5V for 77862 <at> debbugs.gnu.org; Fri, 25 Apr 2025 20:23:12 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id A26BF240027 for <77862 <at> debbugs.gnu.org>; Sat, 26 Apr 2025 02:23:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1745626983; bh=4i1PG5YB2iJOe6lbFz2Dqf1Kxx8pjwNDbdLnd2EhCs8=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=WY2m+Kwz9J3W4WZ892ake7K1g+wad+uK6RTgZ2rF1dITy6V7OW6V7QFPCB4uqvIkh bBCT2Ryl2G23N/MEUKw6MuO9t6BtITKripibVj/cQFBaYdZt47UhnPg1aCaYMtuxre 2pLXa2F8lY2MHcmaZ8bwlTaMu/AI2aRyeFT/LXT0o3dUIVzHjyHmyob3pEFhL6M0C5 GelIKUrFqrFH0ZBWb9xm6mpnQfwt2I5lInBfYWtJ1Ytffa07PKdISiOYPJIxqRjveg gtlYjgKlFy+0IarNWH8h47IQklyYPPgzsqKrUehPmluPErfVLkV/mnsad7C6Z8lclm AdMKMxwgwYqiQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zkr5d5Hjfz6tw3; Sat, 26 Apr 2025 02:23:01 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 26 Apr 2025 00:23:01 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87selwccgu.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> <87selwccgu.fsf@HIDDEN> Message-ID: <f1345bf03b9170036f9c9dcc3fa80467@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On 25.04.2025 20:39, Ludovic Court=C3=A8s wrote: > Hi, >=20 > I committed the /etc/group fix in > 0d3bc50b0cffeae05beb12d0c270c6599186c0d7 together with a test. >=20 > keinflue <keinflue@HIDDEN> writes: >=20 >> I think this happens if the user running guix-daemon has supplementary >> groups. These are not mapped via /proc/gid_map in the build container >> and therefore are reported as the overflow gid (65534) by getgroups. >>=20 >> The test cases assume that they can change ownership to this >> additional group but that is not permitted on the overflow gid. >>=20 >> I think supplementary groups should be dropped in the user namespace >> for the build container to make the behavior >> reproducible. Unfortunately this may be impossible if the parent >> namespace has set /proc/[...]/setgroups to "deny". >=20 > I came up with this test: >=20 > --8<---------------cut here---------------start------------->8--- > (use-modules (guix) > (gcrypt hash) > (gnu packages bootstrap)) >=20 > (computed-file "kvm-access" > #~(begin > (pk '#$(gettimeofday)) > (let ((st (stat "/dev/kvm"))) > (pk '/dev/kvm st) > (pk '/dev/kvm:owner (stat:uid st) (stat:gid st)) > (pk 'getgroups (getgroups)) > ;; XXX: When running the daemon as root, /dev/kvm=20 > is > ;; owned by UID 0, which has no entry in=20 > /etc/passwd. > ;; (pk 'kvm-user (getpwuid (stat:uid st))) > ;; xxx: /etc/group never contained an entry to the= =20 > "kvm" > ;; group so the thing below always failed. > ;; (pk 'kvm-group (getgrgid (stat:gid st))) > ) > (when (open-fdes "/dev/kvm" O_RDWR) > (mkdir #$output))) > #:guile %bootstrap-guile) > --8<---------------cut here---------------end--------------->8--- >=20 > Privileged: >=20 > --8<---------------cut here---------------start------------->8--- > $ guix build -f ~/src/guix-debugging/dev-kvm-access.scm > substitute: looking for substitutes on 'http://192.168.1.48:8123'... > 0.0%guix substitute: warning: 192.168.1.48: connection failed: > Connection timed out > substitute: > substitute: looking for substitutes on 'https://ci.guix.gnu.org'...=20 > 100.0% > substitute: looking for substitutes on=20 > 'https://bordeaux.guix.gnu.org'... 100.0% > substitute: looking for substitutes on > 'https://guix.bordeaux.inria.fr'... 100.0% > The following derivation will be built: > /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv > substitute: looking for substitutes on 'http://192.168.1.48:8123'... =20 > 0.0% > building /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv... >=20 > ;;; ((1745606160 . 233876)) >=20 > ;;; (/dev/kvm #(6 483 8624 1 0 984 2792 0 1745359386 1745359386 > 1745359386 4096 0 char-special 432 382791307 382791307 1745359386)) >=20 > ;;; (/dev/kvm:owner 0 984) >=20 > ;;; (getgroups #(984 30000)) > successfully built=20 > /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv > /gnu/store/36fin1iw2fh9066jg0y2fjd78j9wyjwp-kvm-access > --8<---------------cut here---------------end--------------->8--- >=20 > Unprivileged: >=20 > --8<---------------cut here---------------start------------->8--- > $ ./test-env guix build -f ~/src/guix-debugging/dev-kvm-access.scm > accepted connection from pid 2591, user ludo > accepted connection from pid 2601, user ludo > substitute: guix substitute: warning: ACL for archive imports seems to > be uninitialized, substitutes may be unavailable > substitute: guix substitute: warning: authentication and authorization > of substitutes disabled! > The following derivation will be built: >=20 > /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a= ccess.drv > substitute: guix substitute: warning: authentication and authorization > of substitutes disabled! > building > /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a= ccess.drv... >=20 > ;;; ((1745606200 . 636919)) >=20 > ;;; (/dev/kvm #(6 483 8624 1 65534 65534 2792 0 1745359386 1745359386 > 1745359386 4096 0 char-special 432 382791307 382791307 1745359386)) >=20 > ;;; (/dev/kvm:owner 65534 65534) >=20 > ;;; (getgroups #(65534 65534 65534 65534 65534 65534 65534 30000=20 > 65534)) > successfully built > /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a= ccess.drv > /home/ludo/src/guix/test-tmp/store/ffh8zaw279dgdsh6q54mlldh4nikxiqp-kvm-a= ccess > --8<---------------cut here---------------end--------------->8--- >=20 > In both cases, /dev/kvm is accessible. >=20 > In both cases, only the primary group has an entry in /etc/group; > supplementary groups are lacking. >=20 > So: >=20 > 1. I don=E2=80=99t think we need to map the =E2=80=9Ckvm=E2=80=9D UID/G= ID into the user > namespace; For the purpose of the passive permission checks that is not necessary,=20 yes. There are no uids or gids being translated between the user=20 namespaces. However if all supplementary groups would be dropped, that=20 would include the kvm group and then this test will fail to access=20 /dev/kvm. That was the problem I saw with that first suggestion. > 2. I=E2=80=99m confused as to what makes the Coreutils test suite fail= =2E The result from getgroups includes both the primary gid 30000 and a=20 supplementary gid 65534 (where the repeated 65534 are the overflow gid=20 produced by viewing supplementary gids that aren't mapped into the user=20 namespace via /proc/[pid]/gid_map). Coreutils sees this and so assumes that it can do the equivalent of touch testfile chgrp 65534 testfile to create a file owned by group 30000 initially and to then change group=20 ownership of that file to 65534. Normally an unprivileged user is=20 allowed to change group ownership of files they own between groups that=20 they are member of, so this would always succeed outside a user=20 namespace context. However, any uid/gid used inside the user namespace is translated back=20 to the host namespace via the uid/gid_map before permission checks. But=20 in this case because 65534 doesn't map back to any gid in the host=20 namespace, the syscall will fail. If there is no supplementary group reported by getgroups at all, then=20 coreutils just skips the test and it is ok again. Probably the coreutils=20 test case should remove any gid reported by getgroups that is equal to=20 the overflow gid before making that decision. Dropping all supplementary groups from the build process (after unshare=20 and before writing "deny" to /proc/pid/setgroups) would make it so that=20 this test case is always skipped by having getgroups only report 30000,=20 however that would also drop the kvm group as mentioned above and is=20 also not permitted in all environments (e.g. when the parent namespace=20 already set /proc/[pid]/setgroups to "deny"). So I think that instead either all supplementary groups of the user or=20 at least the kvm group specifically needs to be mapped via=20 /proc/[pid]/gid_map. When doing so getgroups would report 30000 and 984=20 (assuming identity gid map for 984) in your test case above and the=20 coreutils test case would work again, because chgrp 984 testfile would then succeed with 984 mapping back to the host namespace to a=20 supplementary group of the process. From a point of reproducibility and information leakage into the build=20 container I think however that it would be preferable to not retain=20 supplementary groups if possible. In contrast to the privileged build=20 with a distinct build user that the can be given desired supplementary=20 groups at will, the unprivileged environment may be one where the=20 supplementary groups of the user running the daemon can't easily be=20 changed to what is supposed to be seen in the build environment. The contents of /etc/group are not relevant for this test case failure,=20 they are never consulted. But a few other asides (for which I don't necessarily think anything=20 should be changed): - I also noticed that the build container /etc/group is written with=20 65534 assumed as overflow gid. I am not sure whether anyone actually=20 does this, but the overflow uid/gid are technically configurable (and=20 retrievable) via sysctl entries (/proc/sys/kernel/overflow(uid|gid)).=20 65534 is just the default value. - I also noticed that the operating-system defaults do not write an=20 entry for the overflow gid to /etc/group (while they do for the overflow=20 uid to /etc/passwd). I think such an entry should exist by default as=20 well. The entry for /etc/passwd also assumes the default overflow uid of=20 65534. This isn't only relevant for a user namespace context, but also=20 file systems that can't map the whole range of Linux uids/gids. > It would still be good to drop any supplementary group other than =E2=80= =9Ckvm=E2=80=9D > though. >=20 > WDYT? >=20 > Thanks, > Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 25 Apr 2025 18:39:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 25 14:39:58 2025 Received: from localhost ([127.0.0.1]:52899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u8Nxt-0006Fe-Ph for submit <at> debbugs.gnu.org; Fri, 25 Apr 2025 14:39:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48720) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u8Nxp-0006Ep-NO for 77862 <at> debbugs.gnu.org; Fri, 25 Apr 2025 14:39:54 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1u8Nxk-0006eB-CU; Fri, 25 Apr 2025 14:39:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=dqgcacmwetH+2R3rPgHxU0UXSgVP3GeAzOSZB9ZVNRQ=; b=TtmzwBNxmMqP2Gt0q+ya PzzcoMBA7OOL8wwmWkahtJZmGUbeeUMkLxLLIU1VOpezqoLhN2Hks+GP72ML8Vv0wIc3ZP7Jlnm4/ e8P63doOoYCC91nzdhbnXI2oHxAHjYWzPn2dFeqnVYk0Bj/pTRJgXhkJMTPGDsq035Y04GVZiLGzO dlBtSUxNKKRatMFdq9znjhS9quMetl60cs669pIUgbMu9BeZ5Dxwk48yniyGIfPSeHSrD+lQe1Sgj md3jTLCgSuZEG4HDK0cP+w1eed12DVm5s5A3kXVTA4Hz2y95pXCABLK+kfeQ2e//pjlgtDl2+bDjh hEB0BpYjVcVfxw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> (keinflue@HIDDEN's message of "Sat, 19 Apr 2025 11:18:51 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Sextidi 6 =?utf-8?Q?Flor=C3=A9al?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de l'Ancolie Date: Fri, 25 Apr 2025 20:39:29 +0200 Message-ID: <87selwccgu.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, I committed the /etc/group fix in 0d3bc50b0cffeae05beb12d0c270c6599186c0d7 together with a test. keinflue <keinflue@HIDDEN> writes: > I think this happens if the user running guix-daemon has supplementary > groups. These are not mapped via /proc/gid_map in the build container > and therefore are reported as the overflow gid (65534) by getgroups. > > The test cases assume that they can change ownership to this > additional group but that is not permitted on the overflow gid. > > I think supplementary groups should be dropped in the user namespace > for the build container to make the behavior > reproducible. Unfortunately this may be impossible if the parent > namespace has set /proc/[...]/setgroups to "deny". I came up with this test: --8<---------------cut here---------------start------------->8--- (use-modules (guix) (gcrypt hash) (gnu packages bootstrap)) (computed-file "kvm-access" #~(begin (pk '#$(gettimeofday)) (let ((st (stat "/dev/kvm"))) (pk '/dev/kvm st) (pk '/dev/kvm:owner (stat:uid st) (stat:gid st)) (pk 'getgroups (getgroups)) ;; XXX: When running the daemon as root, /dev/kvm is ;; owned by UID 0, which has no entry in /etc/passwd. ;; (pk 'kvm-user (getpwuid (stat:uid st))) ;; xxx: /etc/group never contained an entry to the "kv= m" ;; group so the thing below always failed. ;; (pk 'kvm-group (getgrgid (stat:gid st))) ) (when (open-fdes "/dev/kvm" O_RDWR) (mkdir #$output))) #:guile %bootstrap-guile) --8<---------------cut here---------------end--------------->8--- Privileged: --8<---------------cut here---------------start------------->8--- $ guix build -f ~/src/guix-debugging/dev-kvm-access.scm substitute: looking for substitutes on 'http://192.168.1.48:8123'... 0.0%= guix substitute: warning: 192.168.1.48: connection failed: Connection timed= out substitute:=20 substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0% substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 1= 00.0% substitute: looking for substitutes on 'https://guix.bordeaux.inria.fr'... = 100.0% The following derivation will be built: /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv substitute: looking for substitutes on 'http://192.168.1.48:8123'... 0.0% building /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.drv... ;;; ((1745606160 . 233876)) ;;; (/dev/kvm #(6 483 8624 1 0 984 2792 0 1745359386 1745359386 1745359386 = 4096 0 char-special 432 382791307 382791307 1745359386)) ;;; (/dev/kvm:owner 0 984) ;;; (getgroups #(984 30000)) successfully built /gnu/store/vc5p6bfrzr7khgp9jha8h6kplixcl5h6-kvm-access.d= rv /gnu/store/36fin1iw2fh9066jg0y2fjd78j9wyjwp-kvm-access --8<---------------cut here---------------end--------------->8--- Unprivileged: --8<---------------cut here---------------start------------->8--- $ ./test-env guix build -f ~/src/guix-debugging/dev-kvm-access.scm accepted connection from pid 2591, user ludo accepted connection from pid 2601, user ludo substitute: guix substitute: warning: ACL for archive imports seems to be u= ninitialized, substitutes may be unavailable substitute: guix substitute: warning: authentication and authorization of s= ubstitutes disabled! The following derivation will be built: /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcjp-kvm-a= ccess.drv substitute: guix substitute: warning: authentication and authorization of s= ubstitutes disabled! building /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpliiwk81bvrcj= p-kvm-access.drv... ;;; ((1745606200 . 636919)) ;;; (/dev/kvm #(6 483 8624 1 65534 65534 2792 0 1745359386 1745359386 17453= 59386 4096 0 char-special 432 382791307 382791307 1745359386)) ;;; (/dev/kvm:owner 65534 65534) ;;; (getgroups #(65534 65534 65534 65534 65534 65534 65534 30000 65534)) successfully built /home/ludo/src/guix/test-tmp/store/5p4qn8d3bgnj60a2kwpli= iwk81bvrcjp-kvm-access.drv /home/ludo/src/guix/test-tmp/store/ffh8zaw279dgdsh6q54mlldh4nikxiqp-kvm-acc= ess --8<---------------cut here---------------end--------------->8--- In both cases, /dev/kvm is accessible. In both cases, only the primary group has an entry in /etc/group; supplementary groups are lacking. So: 1. I don=E2=80=99t think we need to map the =E2=80=9Ckvm=E2=80=9D UID/GID= into the user namespace; 2. I=E2=80=99m confused as to what makes the Coreutils test suite fail. It would still be good to drop any supplementary group other than =E2=80=9C= kvm=E2=80=9D though. WDYT? Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 14:37:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 10:37:15 2025 Received: from localhost ([127.0.0.1]:35125 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u69Jg-0002PA-Gs for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 10:37:15 -0400 Received: from mout02.posteo.de ([185.67.36.66]:54725) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u69Jb-0002OT-9t for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 10:37:10 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id E7751240103 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 16:36:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1745073419; bh=ak3//9WGeWU5D9J3iNq+Wv/wBHs8DY77jaK+zNssUYs=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=j98pob3PP+PeijtZArymNA7QS7XKtBJQ2VDdxBfEWwLLEq3zXp03TOlQ6xwQRN07k przSZR91yuEkVw/jrZ61x/Y5fD7vQs8hzjhRlHEC6y9bhcqVbKCoW72yUHl57s2KAT h7czAj6lgtRzBZK+zYiBjCU78PLWQ9ppZW+SDKq1rFBsKV0DgZ9EwBsqpgxgX429+x hXejOv0h93cFwbIt/+E9euS3cmSkrFuyXdo4AKlP1IHD7QZVGFzNfv0OmRWsIOGaYP mG2o0qPzLTTGE614tT3X8s4YorAEmY7H912PEwoZvkY3jDHZL2jaaxRZObU7K/fCN3 hscI2qzuFa/sA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZfvNC0S86z6tyc; Sat, 19 Apr 2025 16:36:59 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 19 Apr 2025 14:36:59 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> Message-ID: <9b324ff4015e176164829814dfe5cd43@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) I just realized that there is also need for special handling of=20 /dev/kvm. When running with privileges it was possible to add the build=20 users to the kvm group to get access to /dev/kvm in the build container. To have this continue to work in unprivileged mode, the kvm group (or I=20 guess more specifically the group of /dev/kvm) should be mapped in the=20 user namespace and presumably should not be dropped from supplementary=20 groups. There is also /dev/tty in the container which has unmapped group=20 ownership, although that doesn't prevent access to it. Alternatively I guess all supplementary groups could be preserved, but=20 they should then also all be mapped into the user namespace. Then the=20 user would have to drop supplementary groups manually (if they are able=20 to) before running guix-daemon if they do not want any of them to=20 propagate into the build environment and can't create a new user=20 specifically for that purpose (e.g. because they do not have root access=20 on the machine). On 19.04.2025 13:18, keinflue wrote: > I can confirm that the patch resolves the particular failing test. >=20 > However I overlooked that there are other failing tests: >=20 >> FAIL: tests/chgrp/default-no-deref.sh >> FAIL: tests/chgrp/no-x.sh >> FAIL: tests/chgrp/posix-H.sh >> FAIL: tests/chgrp/recurse.sh >> FAIL: tests/chgrp/basic.sh >=20 > Here is an example of the failures: >=20 >> + require_membership_in_two_groups_ >> + test 0 =3D 0 >> + groups=3D'30000 65534' >> + case "$groups" in >> + require_local_dir_ >> + require_mount_list_ >> + local 'mount_list_fail=3Dcannot read table of mounted file systems' >> + df --local >> + grep -F 'cannot read table of mounted file systems' >> + is_local_dir_ . >> + test 1 =3D 1 >> + df --local . >> + set _ 30000 65534 >> + shift >> + g2=3D65534 >> + mkdir d >> + touch f >> + ln -s ../f d/s >> ++ stat --printf=3D%g f >> + g_init=3D30000 >> + chgrp -R 65534 d >> chgrp: changing group of 'd/s': Invalid argument >> chgrp: changing group of 'd': Invalid argument >> + fail=3D1 >> ++ stat --printf=3D%g f >> + test 30000 =3D 30000 >> + Exit 1 >> + set +e >> + exit 1 >> + exit 1 >> + remove_tmp_ >> + __st=3D1 >> + cleanup_ >> + : >> + test '' =3D yes >> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1 >> + chmod -R u+rwx=20 >> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh= =2EAEHe >> + rm -rf=20 >> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh= =2EAEHe >> + exit 1 >> FAIL tests/chgrp/default-no-deref.sh (exit status: 1) >=20 > I think this happens if the user running guix-daemon has supplementary > groups. These are not mapped via /proc/gid_map in the build container > and therefore are reported as the overflow gid (65534) by getgroups. >=20 > The test cases assume that they can change ownership to this > additional group but that is not permitted on the overflow gid. >=20 > I think supplementary groups should be dropped in the user namespace > for the build container to make the behavior reproducible. > Unfortunately this may be impossible if the parent namespace has set > /proc/[...]/setgroups to "deny". >=20 > Best, > keinflue >=20 > On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote: >> keinflue <keinflue@HIDDEN> writes: >>=20 >>> Here are excerpts from the build log: >>=20 >> Thanks. >>=20 >>> Unfortunately I made a mistake and accidentally lost the container in >>> which I tried this, so I can not verify right now whether the patch >>> actually resolves the issue. >>>=20 >>> It might take me a day or two to restore it. >>=20 >> No worries, I=E2=80=99ll wait for your feedback. >>=20 >>> This happened either during or shortly after bootstrap builds, so I >>> don't know whether this was the final coreutils package or one from >>> commencement.scm. >>=20 >> OK. >>=20 >> If you have a setup for full rebuilds (no substitutes) running in a >> container, I=E2=80=99m curious to learn more about it! >>=20 >> Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 11:48:49 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 07:48:49 2025 Received: from localhost ([127.0.0.1]:59141 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u66gi-0007GA-KG for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:48:48 -0400 Received: from mout02.posteo.de ([185.67.36.66]:42557) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u66gg-0007Fn-62 for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:48:46 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id E40B1240101 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 13:48:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1745063319; bh=Q5WPoa+Fv8rzz5JKzI0JaP0mknyxRSHFYjtOcL7BxBY=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=k2B7+QC7ev+FirqA9Rz8yf9c6RZrhMuDEifAcGhNf0L9o15XywX3I0JYPSu4Fj0+S jHmSLz8U+q4FPL2KbBjJPPrG53veUnBARqJh6BdSBZuIt6yy7ETHmI9+iHwqcMOQqo 3en0qJ8AyfRgl8yB7Il7b+hNbhwQeqFoNPH24Rm2HyEyf+PcFdQ4iboGSYCDLR2+qs SmOICQuhbtlXfyJFD5pbIJMWrXpstQRhY5b8baEnpKan/AET6MCcnba4Y3eCYdkUyH wIuq+l8ertP95TCwV4P6WeoS4y708GbEaXqPHqgfn8K0RiuK35rCMsmkZamN7J9CB2 jGNiM3zBKVa6Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zfqdz2pP5z6tvc; Sat, 19 Apr 2025 13:48:39 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 19 Apr 2025 11:48:39 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87a58e3f4q.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> Message-ID: <6bbd118c38ab49593cce3749029569c8@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote: > keinflue <keinflue@HIDDEN> writes: >=20 >> Here are excerpts from the build log: >=20 > Thanks. >=20 >> Unfortunately I made a mistake and accidentally lost the container in >> which I tried this, so I can not verify right now whether the patch >> actually resolves the issue. >>=20 >> It might take me a day or two to restore it. >=20 > No worries, I=E2=80=99ll wait for your feedback. >=20 >> This happened either during or shortly after bootstrap builds, so I >> don't know whether this was the final coreutils package or one from >> commencement.scm. >=20 > OK. >=20 > If you have a setup for full rebuilds (no substitutes) running in a > container, I=E2=80=99m curious to learn more about it! I basically just used "guix shell -CN -D guix" plus some extra packages=20 and shares. Inside the container I built and ran guix from git with=20 --with-store-dir and NIX_STORE set to a different path than /gnu/store.=20 Initially I forgot to add a share for /var which is why I unfortunately=20 broke the container once I existed it. > Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 11:19:09 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 07:19:09 2025 Received: from localhost ([127.0.0.1]:58950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u66Dy-00088Q-2j for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:09 -0400 Received: from mout01.posteo.de ([185.67.36.65]:53501) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u66Dr-000864-Lw for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:03 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 33B35240027 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 13:18:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1745061533; bh=u41wj5gqkR17qOffRrqKQKTQ/byqKw8Oh31b6QSu4RY=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=Fipf/4PUaLRRuXTLuG03vy6uHG2GukTsdAzVcxlcYHeqeWPaY5AxLuE8OHcBsFmtK xkkg82fEX9LbJtRuqN6bYs/Tyd4gGX/tzSvjpeXytRJj6s7HVdMGOMOmtdqVigfNe6 i/l3AoZ3Rmje2QofXfVXnur1Z1f/Mw2mdzbe9mLzFWOeeoPAEJUa8WcKPe3SJOrBBG FCT8NNp2XrugG/ynjXWe95qualPdvJ1tjeiRObJ7YluRyVviEOetZWQHerDY5+ab/d OhdJUmmxM1WO5p6nN3lR3mrd3N7yHyyYpR1xvVWnBOQWcErtooc/ReAgn8nAOTN9Ox AhQVYg81jApQQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zfpzc00Cvz6tsb; Sat, 19 Apr 2025 13:18:51 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 19 Apr 2025 11:18:51 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <87a58e3f4q.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> <87a58e3f4q.fsf@HIDDEN> Message-ID: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) I can confirm that the patch resolves the particular failing test. However I overlooked that there are other failing tests: > FAIL: tests/chgrp/default-no-deref.sh > FAIL: tests/chgrp/no-x.sh > FAIL: tests/chgrp/posix-H.sh > FAIL: tests/chgrp/recurse.sh > FAIL: tests/chgrp/basic.sh Here is an example of the failures: > + require_membership_in_two_groups_ > + test 0 =3D 0 > + groups=3D'30000 65534' > + case "$groups" in > + require_local_dir_ > + require_mount_list_ > + local 'mount_list_fail=3Dcannot read table of mounted file systems' > + df --local > + grep -F 'cannot read table of mounted file systems' > + is_local_dir_ . > + test 1 =3D 1 > + df --local . > + set _ 30000 65534 > + shift > + g2=3D65534 > + mkdir d > + touch f > + ln -s ../f d/s > ++ stat --printf=3D%g f > + g_init=3D30000 > + chgrp -R 65534 d > chgrp: changing group of 'd/s': Invalid argument > chgrp: changing group of 'd': Invalid argument > + fail=3D1 > ++ stat --printf=3D%g f > + test 30000 =3D 30000 > + Exit 1 > + set +e > + exit 1 > + exit 1 > + remove_tmp_ > + __st=3D1 > + cleanup_ > + : > + test '' =3D yes > + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1 > + chmod -R u+rwx=20 > /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh= =2EAEHe > + rm -rf=20 > /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh= =2EAEHe > + exit 1 > FAIL tests/chgrp/default-no-deref.sh (exit status: 1) I think this happens if the user running guix-daemon has supplementary=20 groups. These are not mapped via /proc/gid_map in the build container=20 and therefore are reported as the overflow gid (65534) by getgroups. The test cases assume that they can change ownership to this additional=20 group but that is not permitted on the overflow gid. I think supplementary groups should be dropped in the user namespace for=20 the build container to make the behavior reproducible. Unfortunately=20 this may be impossible if the parent namespace has set=20 /proc/[...]/setgroups to "deny". Best, keinflue On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote: > keinflue <keinflue@HIDDEN> writes: >=20 >> Here are excerpts from the build log: >=20 > Thanks. >=20 >> Unfortunately I made a mistake and accidentally lost the container in >> which I tried this, so I can not verify right now whether the patch >> actually resolves the issue. >>=20 >> It might take me a day or two to restore it. >=20 > No worries, I=E2=80=99ll wait for your feedback. >=20 >> This happened either during or shortly after bootstrap builds, so I >> don't know whether this was the final coreutils package or one from >> commencement.scm. >=20 > OK. >=20 > If you have a setup for full rebuilds (no substitutes) running in a > container, I=E2=80=99m curious to learn more about it! >=20 > Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 19:49:32 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 15:49:32 2025 Received: from localhost ([127.0.0.1]:48476 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u5VEl-0000ew-Rs for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48212) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5VEg-0000cu-3H for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1u5VEY-0001ai-AP; Thu, 17 Apr 2025 15:49:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=wYU0GrV6wjpP3OK4HOtcXzEamjhNihygC99zgCwo9aA=; b=oA7R+wOLhyA4wT1I2gRF Sq/WSXHmvOtlS3Stlplzg56BpjDWeru9PYkjNd99xtzmTNFeVI9JrSA1N94TpanSUG9PhOo2pdUVz zBE16xad0QtqqnQ/C86z1/6pVLestnm6ynK8F3c3BPQFakSyXNRzFd8Hud5Pwwl7u18bfmtdNiulN mYaWEo6xMDsYVRVOLPR/31TwRsZ9Atp1clJR/cob6vfUnNobkVnRYDXECjQqpCydPCm2p0cyyhirm cPshRmYvna01KVS65mbHkFsEA4u0NDANqkq3mWKn6gHUa4Z6y7g3sAfrFlfvbXDM/5VSDrMHHPx1G xLA59GtXt5d5NA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 15:36:32 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?= Date: Thu, 17 Apr 2025 18:51:49 +0200 Message-ID: <87a58e3f4q.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) keinflue <keinflue@HIDDEN> writes: > Here are excerpts from the build log: Thanks. > Unfortunately I made a mistake and accidentally lost the container in > which I tried this, so I can not verify right now whether the patch > actually resolves the issue. > > It might take me a day or two to restore it. No worries, I=E2=80=99ll wait for your feedback. > This happened either during or shortly after bootstrap builds, so I > don't know whether this was the final coreutils package or one from > commencement.scm. OK. If you have a setup for full rebuilds (no substitutes) running in a container, I=E2=80=99m curious to learn more about it! Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 15:36:45 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 11:36:45 2025 Received: from localhost ([127.0.0.1]:48146 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u5RIC-0004r0-66 for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:44 -0400 Received: from mout02.posteo.de ([185.67.36.66]:47725) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u5RI8-0004pz-BG for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:41 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 0E237240101 for <77862 <at> debbugs.gnu.org>; Thu, 17 Apr 2025 17:36:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1744904194; bh=sEwaj+QNX/WrZTfR/JqlI2Kus3utizJ9IWYOaZ8vHnk=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=QSs9wndeWwy7WwHi9oTVwrCJYA11E7WcjF4KuNIG6UvY+0IEEdiUZRduUyDgWZJ+X SimGggKoqC4Cg4uHG4X+mD1lXzWy+uL2OuhEV3lnG4qBr6czhBB8QHMvFE7CrkQc6z IuEkKZccavDbjMUxfND6AoBzy1WfGePGWtmsjleOZdG2lwlnzSN+5OljaaxuQbDXPG 2PktJlDChPN4l9pd//hd/8EHTwVLizGzZHAdHZM6iTVkzaV8cOG+PiqPJUVR5U2n1E cJGqh+0Mwmh6dUIQs4WvGOvd9mxssBq4On+AZXHbMEmKEACwxggOblmXz0wMn5peJg W6jauivqxOGbQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zdhns1FJrz9rxK; Thu, 17 Apr 2025 17:36:32 +0200 (CEST) MIME-Version: 1.0 Date: Thu, 17 Apr 2025 15:36:32 +0000 From: keinflue <keinflue@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <878qny530h.fsf@HIDDEN> References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> <878qny530h.fsf@HIDDEN> Message-ID: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Here are excerpts from the build log: > ERROR: tests/chown/separator > ============================ > > ++ initial_cwd_=/tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1 [...] > ++ id -u > + id_u=30001 > + test -n 30001 > ++ id -un > + id_un=nixbld > + test -n nixbld > ++ id -g > + id_g=30000 > + test -n 30000 > ++ id -gn > id: cannot find name for group ID 30000 > + id_gn=30000 > + framework_failure_ > + warn_ 'separator.sh: set-up failure: ' > + case $IFS in > + printf '%s\n' 'separator.sh: set-up failure: ' > separator.sh: set-up failure: > + test 9 = 2 > + printf '%s\n' 'separator.sh: set-up failure: ' > + sed 1q > + Exit 99 > + set +e > + exit 99 > + exit 99 > + remove_tmp_ > + __st=99 > + cleanup_ > + : > + test '' = yes > + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1 > + chmod -R u+rwx > /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W > + rm -rf > /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W > + exit 99 > ERROR tests/chown/separator.sh (exit status: 99) [...] > error: in phase 'check': uncaught exception: > srfi-34 #<condition &invoke-error [program: "make" arguments: ("check" > "-j" "16") exit-status: 2 term-signal: #f stop-signal: #f] 2df6100> > > phase `check' failed after 15.2 seconds > command "make" "check" "-j" "16" failed with status 2 > build process 2 exited with status 256 Yes, I believe the patch as suggested is correct (with my limited understanding given that the lines above were changed in the same way). Unfortunately I made a mistake and accidentally lost the container in which I tried this, so I can not verify right now whether the patch actually resolves the issue. It might take me a day or two to restore it. This happened either during or shortly after bootstrap builds, so I don't know whether this was the final coreutils package or one from commencement.scm. Best, keinflue
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 14:24:47 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 10:24:47 2025 Received: from localhost ([127.0.0.1]:48035 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u5QAY-00057A-Ax for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45748) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5QAS-00055J-0G for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1u5QAM-0001sn-BP; Thu, 17 Apr 2025 10:24:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Gn7EZbmDjBFOb8qzkMA6g7bAntClza2m7f6aaKj90fw=; b=L+O5S1iqcbkZoMe9SvLc wmDx/92l09g1WaGLa77PcjF6k3kARPApOg7zWTBorsZ6+FfyAeZkRFslyyXfnpmS29tloIjwwc/MB JNEiCI3xt5SeNAoGR90cUPFFlgHKjFmC0H9+zY/eIw0Uky6U6XxHZXQZ8Uu6CMeOPHDgXRT8U+9Qw EitH0PCdNofq5AV+SK1bntuFvdMsP890YkKjmK69TBVjKo+Y72ECfPLWFVd7s1bbgkmjjkKJFGr4B XpAXSN4bXT53YsPhHf5iLKFZPv9vzY055hiq0TeBdCYkYkqMpakk/fEJpRA9Pn2XTyhljBKfmCQhk mG0Fi7x2FRaWRA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: keinflue <keinflue@HIDDEN> Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in build container In-Reply-To: <86b5c54e8412686790b6bf50525a6231@HIDDEN> (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 11:20:47 +0000") References: <86b5c54e8412686790b6bf50525a6231@HIDDEN> User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?= Date: Thu, 17 Apr 2025 15:30:38 +0200 Message-ID: <878qny530h.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77862 Cc: 77862 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Hi, keinflue <keinflue@HIDDEN> writes: > When using the new ability of guix-daemon to run as non-root with the > help of user namespaces, the testsuite of coreutils fails. Could you include a build log snippet? (Also useful to have it inline so that someone searching for discussions about the bug can find it.) > This is because the daemon incorrectly uses the host GID instead of > the guest GID in the build container's /etc/group, which the testsuite > uses to lookup the group's name via id -gn. I believe the fix you suggest is this: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 4ee4a1ae5f..a1f39d9a8b 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder() view of the system (e.g., "id -gn"). */ writeFile(chrootRootDir + "/etc/group", (format("nixbld:!:%1%:\n") - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Create /etc/hosts with localhost entry. */ if (!fixedOutput) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Correct? Thanks, Ludo=E2=80=99. --=-=-=--
bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 17 Apr 2025 11:21:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 07:21:07 2025 Received: from localhost ([127.0.0.1]:46010 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u5NIn-0006zb-Pe for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:07 -0400 Received: from lists.gnu.org ([2001:470:142::17]:58714) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>) id 1u5NIj-0006xx-M9 for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>) id 1u5NId-0007X8-Rr for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>) id 1u5NIb-0000NE-JI for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id B6F34240027 for <bug-guix@HIDDEN>; Thu, 17 Apr 2025 13:20:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1744888848; bh=0Zp9kpsVDM1yjzbuhfYuBVA+d731mZtyED2j870JAvk=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=Lhruc/+YeNtbuoXXKLC+O9dys5LZhItPtcBcSPrVHh/+ALrqphfZ2afqqINKkso33 ljG5DGerEEjAkkE6+LLGeaL/asXbPYHmMb659D8c6/8aHJ4aGHuZdL+2oCEzwJJMX4 96MAntljylj1psuGKM8xPO2tppP+w0rCMXDE6F/Q1XCaYYqk3cKY6f87RQf3fqzg8f UuEfDETOrxN+fOqbkOHiXNda3v5mQrqUPhG5O7H65yUt42y1U4jcsO1hWjLEt+YRfi QZjXsEBuR2EMYdDz8RCvQxMJUqxmXK7MlkgAUmkog+RMchjOMss73JbPYYnVVhR/0/ gUV8tsPGF5izg== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Zdb6m0z5rz9rxM; Thu, 17 Apr 2025 13:20:47 +0200 (CEST) MIME-Version: 1.0 Date: Thu, 17 Apr 2025 11:20:47 +0000 From: keinflue <keinflue@HIDDEN> To: bug-guix@HIDDEN Subject: guix-daemon run as non-root sets up /etc/group incorrectly in build container Message-ID: <86b5c54e8412686790b6bf50525a6231@HIDDEN> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.65; envelope-from=keinflue@HIDDEN; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: ludo@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) When using the new ability of guix-daemon to run as non-root with the help of user namespaces, the testsuite of coreutils fails. This is because the daemon incorrectly uses the host GID instead of the guest GID in the build container's /etc/group, which the testsuite uses to lookup the group's name via id -gn.
keinflue <keinflue@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#77862
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.