From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 28 10:34:44 2020 Received: (at submit) by debbugs.gnu.org; 28 Sep 2020 14:34:44 +0000 Received: from localhost ([127.0.0.1]:53689 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kMuEm-0007ia-DV for submit@debbugs.gnu.org; Mon, 28 Sep 2020 10:34:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:50468) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kMuEj-0007iR-5u for submit@debbugs.gnu.org; Mon, 28 Sep 2020 10:34:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55866) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kMuEi-0005mn-QQ for guix-patches@gnu.org; Mon, 28 Sep 2020 10:34:40 -0400 Received: from mail1.fsfe.org ([2001:aa8:ffed:f5f3::151]:40294) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kMuEg-00052d-U8 for guix-patches@gnu.org; Mon, 28 Sep 2020 10:34:40 -0400 From: Jelle Licht To: guix-patches@gnu.org Subject: [PATCH] linux-container: Reset jailed root permissions. Date: Mon, 28 Sep 2020 16:34:33 +0200 Message-Id: <20200928143433.31994-1-jlicht@fsfe.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:aa8:ffed:f5f3::151; envelope-from=jlicht@fsfe.org; helo=mail1.fsfe.org X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call. --- gnu/build/linux-container.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 2d4de788df..4a8bed5a9a 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -170,7 +170,8 @@ for the process." (pivot-root root put-old) (chdir "/") (umount "real-root" MNT_DETACH) - (rmdir "real-root"))) + (rmdir "real-root") + (chmod "/" #o755))) (define* (initialize-user-namespace pid host-uids #:key (guest-uid 0) (guest-gid 0)) -- 2.28.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 29 16:28:41 2020 Received: (at 43673) by debbugs.gnu.org; 29 Sep 2020 20:28:41 +0000 Received: from localhost ([127.0.0.1]:57279 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNMEr-0007wS-3W for submit@debbugs.gnu.org; Tue, 29 Sep 2020 16:28:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55128) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNMEp-0007wG-3o for 43673@debbugs.gnu.org; Tue, 29 Sep 2020 16:28:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46952) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kNMEj-0004w9-AM; Tue, 29 Sep 2020 16:28:33 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=57224 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kNMER-0004se-0a; Tue, 29 Sep 2020 16:28:16 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jelle Licht Subject: Re: [bug#43673] [PATCH] linux-container: Reset jailed root permissions. References: <20200928143433.31994-1-jlicht@fsfe.org> Date: Tue, 29 Sep 2020 22:28:13 +0200 In-Reply-To: <20200928143433.31994-1-jlicht@fsfe.org> (Jelle Licht's message of "Mon, 28 Sep 2020 16:34:33 +0200") Message-ID: <87blho5nvm.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43673 Cc: 43673@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Jelle Licht skribis: > * gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call. Well done! Could you add a test checking (stat:perms (lstat "/")) in tests/containers.scm? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 29 17:25:19 2020 Received: (at 43673) by debbugs.gnu.org; 29 Sep 2020 21:25:19 +0000 Received: from localhost ([127.0.0.1]:57333 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNN7f-0000rZ-HW for submit@debbugs.gnu.org; Tue, 29 Sep 2020 17:25:19 -0400 Received: from mail1.fsfe.org ([217.69.89.151]:53606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNN7c-0000rN-T0 for 43673@debbugs.gnu.org; Tue, 29 Sep 2020 17:25:18 -0400 From: Jelle Licht To: 43673@debbugs.gnu.org Subject: [PATCH v2] linux-container: Reset jailed root permissions. Date: Tue, 29 Sep 2020 23:25:13 +0200 Message-Id: <20200929212513.19531-1-jlicht@fsfe.org> In-Reply-To: <87blho5nvm.fsf@gnu.org> References: <87blho5nvm.fsf@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 43673 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) * gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call. * tests/containers.scm ("call-with-container, mnt namespace, root permissions"): New test. --- gnu/build/linux-container.scm | 3 ++- tests/containers.scm | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 2d4de788df..4a8bed5a9a 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -170,7 +170,8 @@ for the process." (pivot-root root put-old) (chdir "/") (umount "real-root" MNT_DETACH) - (rmdir "real-root"))) + (rmdir "real-root") + (chmod "/" #o755))) (define* (initialize-user-namespace pid host-uids #:key (guest-uid 0) (guest-gid 0)) diff --git a/tests/containers.scm b/tests/containers.scm index 7b63e5c108..608902c41a 100644 --- a/tests/containers.scm +++ b/tests/containers.scm @@ -133,6 +133,14 @@ (lambda () (primitive-exit 0))))) +(skip-if-unsupported) +(test-assert "call-with-container, mnt namespace, root permissions" + (zero? + (call-with-container '() + (lambda () + (assert-exit (= #o755 (stat:perms (lstat "/"))))) + #:namespaces '(user mnt)))) + (skip-if-unsupported) (test-assert "container-excursion" (call-with-temporary-directory -- 2.28.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 01 05:35:18 2020 Received: (at 43673) by debbugs.gnu.org; 1 Oct 2020 09:35:18 +0000 Received: from localhost ([127.0.0.1]:34057 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNuze-00019L-Ld for submit@debbugs.gnu.org; Thu, 01 Oct 2020 05:35:18 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNuzc-00018z-Ky for 43673@debbugs.gnu.org; Thu, 01 Oct 2020 05:35:18 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51404) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kNuzW-0002ju-SA; Thu, 01 Oct 2020 05:35:10 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33952 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kNuzW-0005Un-BA; Thu, 01 Oct 2020 05:35:10 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jelle Licht Subject: Re: [bug#43673] [PATCH v2] linux-container: Reset jailed root permissions. References: <87blho5nvm.fsf@gnu.org> <20200929212513.19531-1-jlicht@fsfe.org> Date: Thu, 01 Oct 2020 11:35:08 +0200 In-Reply-To: <20200929212513.19531-1-jlicht@fsfe.org> (Jelle Licht's message of "Tue, 29 Sep 2020 23:25:13 +0200") Message-ID: <87k0wauw4z.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43673 Cc: 43673@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Jelle Licht skribis: > * gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call. > * tests/containers.scm > ("call-with-container, mnt namespace, root permissions"): New test. LGTM, thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 01 07:48:38 2020 Received: (at 43673-done) by debbugs.gnu.org; 1 Oct 2020 11:48:38 +0000 Received: from localhost ([127.0.0.1]:34290 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNx4g-0006hR-2M for submit@debbugs.gnu.org; Thu, 01 Oct 2020 07:48:38 -0400 Received: from mail1.fsfe.org ([217.69.89.151]:35512) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kNx4a-0006hF-RS for 43673-done@debbugs.gnu.org; Thu, 01 Oct 2020 07:48:36 -0400 From: Jelle Licht To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#43673] [PATCH v2] linux-container: Reset jailed root permissions. In-Reply-To: <87k0wauw4z.fsf@gnu.org> References: <87blho5nvm.fsf@gnu.org> <20200929212513.19531-1-jlicht@fsfe.org> <87k0wauw4z.fsf@gnu.org> Date: Thu, 01 Oct 2020 13:48:29 +0200 Message-ID: <86o8lm6ub6.fsf@fsfe.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 43673-done Cc: 43673-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Ludovic Court=C3=A8s writes: > Hi, > > Jelle Licht skribis: > >> * gnu/build/linux-container.scm (mount-file-systems): Add 'chmod' call. >> * tests/containers.scm >> ("call-with-container, mnt namespace, root permissions"): New test. > > LGTM, thanks! > > Ludo=E2=80=99. Pushed as e7481835 on master, thanks for the fast review! From unknown Sat Jun 21 03:02:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 30 Oct 2020 11:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator