GNU bug report logs -
#21226
FAIL: tests/containers.scm
Previous Next
Reported by: Jochem Raat <jchmrt <at> riseup.net>
Date: Sun, 9 Aug 2015 23:12:01 UTC
Severity: normal
Done: David Thompson <dthompson2 <at> worcester.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21226 in the body.
You can then email your comments to 21226 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#21226; Package
guix.
(Sun, 09 Aug 2015 23:12:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jochem Raat <jchmrt <at> riseup.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 09 Aug 2015 23:12:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
During the running of make check on the guix 0.8.3 source tarball,
test/containers.scm failed. I don't know enough about guix to understand
why, but the manual said to report it to this email-adress. Please tell
me if you need me to do more tests.
Attached are the test-suite.log and containers.log.
[test-suite.log (text/x-log, attachment)]
[containers.log (text/x-log, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#21226; Package
guix.
(Mon, 10 Aug 2015 20:47:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 21226 <at> debbugs.gnu.org (full text, mbox):
[ Forgot to "Reply All". Re-sending to bug tracker ]
On Mon, Aug 10, 2015 at 4:23 AM, Jochem Raat <jchmrt <at> riseup.net> wrote:
> On 10-08-15 02:10, Thompson, David wrote:
>> Hello Jochem,
>>
>> Thanks for the report. I've done some work to fix these in our
>> master, but perhaps you have a situation that I haven't addressed.
>> The container functionality requires a relatively recent version (3.8,
>> I think) of Linux in order to work.
>>
>> What version of Linux are you using?
>
> I think I am running linux 3.13 ('uname -r' returns: 3.13.0-30-generic).
>
>> What is the output of 'ls -l /proc/self/ns'?
>
> 'ls -l /proc/self/ns' returns:
> total 0
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 ipc -> ipc:[4026531839]
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 mnt -> mnt:[4026531840]
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 net -> net:[4026531956]
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 pid -> pid:[4026531836]
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 user -> user:[4026531837]
> lrwxrwxrwx 1 jm jm 0 aug 10 10:12 uts -> uts:[4026531838]
>
Thanks. So, you have a new enough kernel for all 6 user namespaces to
work but the 'setgroups' interface is not present. I did some reading
in the user_namespaces(7) man page and found that using setgroups
became a requirement in Linux 3.19 and only kernels may not have it. I
took a look at an Ubuntu 14.04 machine which also runs a 3.13 kernel
and /proc/self/setgroups exists, so indeed it is an optional thing.
The fix will be to test if /proc/self/setgroups exists before writing
to it. I'll have this fixed next time I get a chance to hack.
Thanks again for reporting this issue!
- Dave
Information forwarded
to
bug-guix <at> gnu.org:
bug#21226; Package
guix.
(Tue, 11 Aug 2015 12:42:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 21226 <at> debbugs.gnu.org (full text, mbox):
Hello Jochem,
On Sun, Aug 9, 2015 at 4:12 PM, Jochem Raat <jchmrt <at> riseup.net> wrote:
> During the running of make check on the guix 0.8.3 source tarball,
> test/containers.scm failed. I don't know enough about guix to understand
> why, but the manual said to report it to this email-adress. Please tell
> me if you need me to do more tests.
>
> Attached are the test-suite.log and containers.log.
Fixed in commit bc459b6, which skips the tests if /proc/self/setgroups
does not exist, rather than allowing a system with a vulnerable kernel
create containers with a new user namespace.
I would like to note that you should update your kernel as soon as
possible, as the lack of /proc/self/setgroups means that you are
running a kernel with a known security vulnerability. The fix was
introduced in Linux 3.19, but backported to many older kernels,
including 3.13.
Thanks,
- Dave
bug closed, send any further explanations to
21226 <at> debbugs.gnu.org and Jochem Raat <jchmrt <at> riseup.net>
Request was from
David Thompson <dthompson2 <at> worcester.edu>
to
control <at> debbugs.gnu.org.
(Tue, 11 Aug 2015 12:53:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#21226; Package
guix.
(Tue, 11 Aug 2015 13:30:06 GMT)
Full text and
rfc822 format available.
Message #16 received at 21226 <at> debbugs.gnu.org (full text, mbox):
On 11-08-15 14:41, Thompson, David wrote:
>
> Fixed in commit bc459b6, which skips the tests if /proc/self/setgroups
> does not exist, rather than allowing a system with a vulnerable kernel
> create containers with a new user namespace.
Thanks for the fast response and fix!
>
> I would like to note that you should update your kernel as soon as
> possible, as the lack of /proc/self/setgroups means that you are
> running a kernel with a known security vulnerability. The fix was
> introduced in Linux 3.19, but backported to many older kernels,
> including 3.13.
Thanks for the advice, I have updated my kernel.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 09 Sep 2015 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 343 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.