GNU bug report logs - #77862
guix-daemon run as non-root sets up /etc/group incorrectly in build container

Previous Next

Package: guix;

Reported by: keinflue <keinflue <at> posteo.net>

Date: Thu, 17 Apr 2025 11:22:03 UTC

Severity: important

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: keinflue <keinflue <at> posteo.net>
Cc: 77862 <at> debbugs.gnu.org
Subject: bug#77862: guix-daemon run as non-root sets up /etc/group incorrectly in build container
Date: Fri, 02 May 2025 17:38:59 +0200

[Message part 1 (text/plain, inline)]
Hello,

keinflue <keinflue <at> posteo.net> writes:

> I also had another look and I missed that effectively CAP_SETGID is
> required in the _parent_ namespace in order to use setgroups (because
> otherwise writing "deny" to /proc/[pid]/setgroups is essentially
> forced).
>
> But the same seems to also be required to map more than the own
> effective uid/gid of the process into the namespace.

Right, user_namespaces(7) makes it clear:

 •  The data written to uid_map (gid_map) must consist of a sin‐
    gle  line  that maps the writing process's effective user ID
    (group ID) in the parent user namespace to a user ID  (group
    ID) in the user namespace.

> So I guess neither solution of dropping or mapping supplementary
> groups will work completely unprivileged and the only solution is to
> modify or disable the coreutils test case.

Yes, I came to this conclusion as well.

I believe the attached Coreutils patch should fix that (yet to be
tested).  Would be worth reporting upstream as well because in a way
it’s a failure of the test framework.

Thanks,
Ludo’.


[Message part 2 (text/x-patch, inline)]
diff --git a/init.cfg b/init.cfg
index 856aa2ee7..e19ec5a31 100644
--- a/init.cfg
+++ b/init.cfg
@@ -488,7 +488,12 @@ require_membership_in_two_groups_()
 {
   test $# = 0 || framework_failure_
 
-  groups=${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)}
+  # Always pretend this user account is not a member of any
+  # supplementary group.  This avoids wrong expectations from tests
+  # when the supplementary group is the overflow GID as is the case
+  # when 'guix-daemon' runs as an unprivileged user that is part of
+  # supplementary groups such as 'kvm'.
+  groups=
   case "$groups" in
     *' '*) ;;
     *) skip_ 'requires membership in two groups
This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.