GNU bug report logs -
#54786
Installation tests are failing
Previous Next
Reported by: Mathieu Othacehe <othacehe <at> gnu.org>
Date: Fri, 8 Apr 2022 09:52:01 UTC
Severity: important
Done: Mathieu Othacehe <othacehe <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #61 received at 54786 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
Ludovic Courtès <ludo <at> gnu.org> writes:
[...]
>> When using 'make-forkexec-constructor/container', the clone(2) call
>> happens before switching user, thus as 'root' in Shepherd, which
>> explains why it works.
>
> Damnit, that’s right. For example the result of:
>
> (lower-object (least-authority-wrapper (file-append coreutils "/bin/uname")
> #:namespaces (delq 'user %namespaces)))
>
> won’t run as an unprivileged user:
[...]
> I think we would add #:user and #:group to ‘least-authority-wrapper’ and
> have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to
> be modified, but the user simply won’t pass #:user and #:group to it.
OK! I'll adjust the jami-service-type when we get around to implement
the above; for now I've pushed my proposed fix which still uses
'make-forkexec-constructor/container' as
85b4dabd94d53f8179f31a42046cd83fc3a352fc.
Thanks,
Maxim
This bug report was last modified 2 years and 283 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.