GNU bug report logs - #67175
[PATCH 0/9] Removing 'make-forkexec-constructor/container'

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 14 Nov 2023 14:07:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>, Tobias Geerinckx-Rice <me <at> tobias.gr>, Ricardo Wurmus <rekado <at> elephly.net>, 67175 <at> debbugs.gnu.org, Christopher Baines <guix <at> cbaines.net>
Subject: [bug#67175] [PATCH 4/9] least-authority: Add support for changing UIDs/GIDs before exec.
Date: Thu, 21 Dec 2023 23:13:06 +0100

Hi!

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> * guix/least-authority.scm (least-authority-wrapper): Add #:user
>> and #:group.
>> [code]: Add calls to ‘setgid’ and ‘setuid’ when appropriate.
>>
>> Change-Id: I2aad8e5686b42b5c92fc306b114c5c60cb8bc551
>
> This should mention it fixes bug #67175 :-).

Noted!

>>  (define* (least-authority-wrapper program
>>                                    #:key (name "pola-wrapper")
>> +                                  (user #f)
>> +                                  (group #f)
>>                                    (guest-uid 1000)
>>                                    (guest-gid 1000)
>>                                    (mappings '())
>> @@ -55,7 +57,11 @@ (define* (least-authority-wrapper program
>>  <file-system-mapping> records indicating directories mirrored inside the
>>  execution environment of PROGRAM.  DIRECTORY is the working directory of the
>>  wrapped process.  Each environment listed in PRESERVED-ENVIRONMENT-VARIABLES
>> -is preserved; other environment variables are erased."
>> +is preserved; other environment variables are erased.
>> +
>> +When USER and GROUP are set and NAMESPACES does not include 'user, change UIDs
>> +and GIDs to these prior to executing PROGRAM.  This usually requires that the
>> +resulting wrapper be executed as root so it can call setgid(2) and
>>  setuid(2)."
>
> About "usually"; in which case could a programm call to setgid and
> setuid without being root?

On Linux, a non-root process can have ‘CAP_SETGID’ and/or ‘CAP_SETUID’
and successfully call these.

So checking whether the UID is zero would not be accurate (tricky
semantics).  I think it’s safer to let it fail and display the actual
error.

Thanks,
Ludo’.
This bug report was last modified 1 year and 213 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.