GNU bug report logs - #77862
guix-daemon run as non-root sets up /etc/group incorrectly in build container

Previous Next

Package: guix;

Reported by: keinflue <keinflue <at> posteo.net>

Date: Thu, 17 Apr 2025 11:22:03 UTC

Severity: important

Full log

Message #40 received at 77862 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: keinflue <keinflue <at> posteo.net>
Cc: 77862 <at> debbugs.gnu.org
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
Date: Fri, 02 May 2025 17:38:59 +0200

[Message part 1 (text/plain, inline)]
Hello,

keinflue <keinflue <at> posteo.net> writes:

> I also had another look and I missed that effectively CAP_SETGID is
> required in the _parent_ namespace in order to use setgroups (because
> otherwise writing "deny" to /proc/[pid]/setgroups is essentially
> forced).
>
> But the same seems to also be required to map more than the own
> effective uid/gid of the process into the namespace.

Right, user_namespaces(7) makes it clear:

 •  The data written to uid_map (gid_map) must consist of a sin‐
    gle  line  that maps the writing process's effective user ID
    (group ID) in the parent user namespace to a user ID  (group
    ID) in the user namespace.

> So I guess neither solution of dropping or mapping supplementary
> groups will work completely unprivileged and the only solution is to
> modify or disable the coreutils test case.

Yes, I came to this conclusion as well.

I believe the attached Coreutils patch should fix that (yet to be
tested).  Would be worth reporting upstream as well because in a way
it’s a failure of the test framework.

Thanks,
Ludo’.


[Message part 2 (text/x-patch, inline)]
diff --git a/init.cfg b/init.cfg
index 856aa2ee7..e19ec5a31 100644
--- a/init.cfg
+++ b/init.cfg
@@ -488,7 +488,12 @@ require_membership_in_two_groups_()
 {
   test $# = 0 || framework_failure_
 
-  groups=${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)}
+  # Always pretend this user account is not a member of any
+  # supplementary group.  This avoids wrong expectations from tests
+  # when the supplementary group is the overflow GID as is the case
+  # when 'guix-daemon' runs as an unprivileged user that is part of
+  # supplementary groups such as 'kvm'.
+  groups=
   case "$groups" in
     *' '*) ;;
     *) skip_ 'requires membership in two groups
This bug report was last modified 10 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.