From unknown Sat Sep 13 15:28:11 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#78225 <78225@debbugs.gnu.org> To: bug#78225 <78225@debbugs.gnu.org> Subject: Status: Testsuite failure relating to chgrp in (unprivileged) user namespaces Reply-To: bug#78225 <78225@debbugs.gnu.org> Date: Sat, 13 Sep 2025 22:28:11 +0000 retitle 78225 Testsuite failure relating to chgrp in (unprivileged) user na= mespaces reassign 78225 coreutils submitter 78225 keinflue severity 78225 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri May 02 23:38:34 2025 Received: (at submit) by debbugs.gnu.org; 3 May 2025 03:38:34 +0000 Received: from localhost ([127.0.0.1]:36222 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uB3ht-0006hB-FH for submit@debbugs.gnu.org; Fri, 02 May 2025 23:38:34 -0400 Received: from lists.gnu.org ([2001:470:142::17]:44252) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uB3hn-0006gn-NW for submit@debbugs.gnu.org; Fri, 02 May 2025 23:38:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uB3hi-0007hi-B1 for bug-coreutils@gnu.org; Fri, 02 May 2025 23:38:18 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uB3he-0007mG-63 for bug-coreutils@gnu.org; Fri, 02 May 2025 23:38:18 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 26549240101 for ; Sat, 3 May 2025 05:38:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1746243492; bh=levhYS5R+9z0h9D1yg0Re7b/IUbwHWFETsdOeeotCQ0=; h=MIME-Version:Date:From:To:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=EnPXGLAEpxnmaMlGsL/oYiGzSeqR6ksG06O0K+avl1iht8hFZ2tT1WLmEYZ0sC2Fw +Y9JAE2k6Y1x+ooQ9AIOAxrF3o/HpCX43opp8FAwDtQTniAQaI+8cm7rFEO+0pmqNM A7rFfe7DC5TJvePI5lyPRK8ryjOX+buWFUELJaVbv0pw5cSCY66yo6rGDAnmGckA+U wBWLwG4rNboOc11XVMeCqV4Kv5oNGRRfkFjoc49SkvqHjJ46DfWElo6tcgni3C9GRG /Yb2mURJcc9X37IMl5SRpT+TE50p0jFHiM2GcE0h3sdZ33KYG8sUQ7Nvm0TyTTNFFA 9wxpJ1smrWvIQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZqD5b5rJSz9rxD for ; Sat, 3 May 2025 05:38:11 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 03 May 2025 03:38:11 +0000 From: keinflue To: bug-coreutils@gnu.org Subject: Testsuite failure relating to chgrp in (unprivileged) user namespaces Message-ID: <6a6ca81f77efe6af4090c91124626e79@posteo.net> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.66; envelope-from=keinflue@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hello, noticed this on Guix (https://issues.guix.gnu.org/77862#5) with coreutils 9.1 and also verified with latest release 9.7. When building and running the testsuite of coreutils on Linux in a user namespace as unprivileged user the latter may fail chgrp test cases: > FAIL: tests/chgrp/default-no-deref.sh > FAIL: tests/chgrp/no-x.sh > FAIL: tests/chgrp/posix-H.sh > FAIL: tests/chgrp/recurse.sh > FAIL: tests/chgrp/basic.sh The cause for this are supplementary groups of the build process which are not mapped in the user namespace via /proc/pid/gid_map. Inside the user namespace these groups are reported as the overflow gid (by default 65534). require_membership_in_two_groups_ in init.cfg has no exemption for this gid and the chgrp tests will attempt to change ownership to this gid, assuming this to be valid as usually is the case when changing ownership to a supplementary group. However, this is not allowed for the unmapped overflow gid and the syscall will fail. The same problem occurs in gnulib-tests, but I suppose I should report this to the bug-gnulib list. This was noticed during experimentation with Guix's new feature to run the build daemon as unprivileged user process, which relies on unprivileged user namespaces to construct the build container. As discussed in the linked issue it isn't really an option to drop the supplementary groups in this setting. I think the overflow gid should be exempt in require_membership_in_two_groups_ as was already implemented for special gids on MacOS. Best, keinflue From debbugs-submit-bounces@debbugs.gnu.org Sat May 03 05:03:26 2025 Received: (at 78225-done) by debbugs.gnu.org; 3 May 2025 09:03:26 +0000 Received: from localhost ([127.0.0.1]:38149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uB8mJ-00070V-1e for submit@debbugs.gnu.org; Sat, 03 May 2025 05:03:25 -0400 Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:43443) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uB8mE-000704-KQ for 78225-done@debbugs.gnu.org; Sat, 03 May 2025 05:03:22 -0400 Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-3912fdddf8fso2318713f8f.1 for <78225-done@debbugs.gnu.org>; Sat, 03 May 2025 02:03:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746262992; x=1746867792; darn=debbugs.gnu.org; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:sender:from:to:cc:subject:date :message-id:reply-to; bh=3hfNYu5OjJ901aNezKn83kAbjMtTYjAXy0l69A41fjg=; b=e8ZCLlDF41MOR1u0Zi/LiqPGSH52MYN1hp/eaaJRGRS1AXoAOHPbmggYWMyRgvfx8k D4iY5vCYqR0TrsmbNvqKsn8GjjaXPe6hzBJgtH+JBC+BKIDDk2/m4B21eqaMu3+W7ur3 0AlvGq3PXlzXAzbaNEDMEKOdwOMA16yZm0KVSAtTFf0up6pIzQgT4IT2C7yvZR/UA8b2 zz/AHLB8FJO1zdkxd3pyVARGIYfH4WA/DKbiQKvHJESwcZUJf+h7Jn0kn5T0deh9AhOB H9+W2NnnWFokgjoTKsZhgIpqtDHL7RGFVO79acNXCHhwKnBlQJnfvHdcoTBFFy5ytW7j Wjwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746262992; x=1746867792; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3hfNYu5OjJ901aNezKn83kAbjMtTYjAXy0l69A41fjg=; b=EdMPfUXCqThwwf+dKxaXPBN4ZTtS3FKSX7Yf+nN7lqXaukjaTlsV5D2nhBEvoB/JvS hKgCicr0yzl3QNxHssiwb8Ao6UztJ2tA5uI5L62l1mO2dn37ty0mJEFF7HOfFdUW1YWX Icz4LBKgyxe3EZ0dIFeXLqJDSH7zFQvwQKDVrtBw+Z+hmV/2fSZplIz0MLJG/igydk0G fmxE5Y8ZAauzcFt4Fl+fDr4mTlIWe2sRqGb2LfMYmRRupllaBkx3ZNhzrCWW5KIM+Ze4 CXJ6n25LA5CHlZ6ZjJ/bb77DR2vjMswekT/TVpBQfe9KMuFXhsNdIo4Sp59TX8YMQZcg 8Dcw== X-Forwarded-Encrypted: i=1; AJvYcCU/fZ0xRjutY+NG47GEhaNfBjLlWDIEM9g9k8eEQiz6TZ+EhpJv0X1lQmWp0/gSx6+udLXgXhloAExa@debbugs.gnu.org X-Gm-Message-State: AOJu0YwmTNLbTy6oA9ynWpi/mMFCd4jXUcTgViE2fvRhUIptpTasQLWy vP0zLF/zUHvpWFtmFQO04WdLE7SAJ1DP0s6GdPx1A7cM0qDwll0U X-Gm-Gg: ASbGnctjTF+rluo8pY9YuJHBLIhZlmvPi+o+HbqvtVEjU5pIEH4GsFD3HPBEGiamiDT Xw3PB07knjz9TKKYTBexo2uduyNzStQlBiXvYfg+qXDymEzZphQA5OGkFr6vxdXb8ijgxwFzoAX sd09Fr2maULSsHRetwGl2kvOOxHhFnrpNeBOUmwiUA8BBn24oZnVAYJD28uSGbvcsZqH/SG9LVO Zn+Z8j6v5MeEIrBU4lcApDXIwaCVxm6jn754tFvdVcnA3NoUXIUXbnEgIVVQT0dArH7evx0ouXz wYrZwtrTL9+6UnIbAncMq1TleFHUO+38rYF08DDwMTn31v2qAOycQac11Hwb9hLi5NgHJjMQX1F LRdgBy9kYsmsmuFT26Pse20LaCVuHEdc= X-Google-Smtp-Source: AGHT+IF+1PybxspOC/bGqcrKszD+zFUfUOH8dLgiM3cSqr7FEQMrUNWVAOxiNmpOx5183Y4ceN6/vg== X-Received: by 2002:adf:fb03:0:b0:3a0:987f:7b4d with SMTP id ffacd0b85a97d-3a0987f7b5emr3632003f8f.29.1746262992094; Sat, 03 May 2025 02:03:12 -0700 (PDT) Received: from [192.168.1.31] (86-44-211-146-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.44.211.146]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-3a099b16ec6sm4194613f8f.83.2025.05.03.02.03.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 03 May 2025 02:03:11 -0700 (PDT) Content-Type: multipart/mixed; boundary="------------p7V5n0Q3lBcYD0Iox0u0bE7h" Message-ID: Date: Sat, 3 May 2025 10:03:10 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta Subject: Re: bug#78225: Testsuite failure relating to chgrp in (unprivileged) user namespaces To: keinflue , 78225-done@debbugs.gnu.org References: <6a6ca81f77efe6af4090c91124626e79@posteo.net> Content-Language: en-US From: =?UTF-8?Q?P=C3=A1draig_Brady?= In-Reply-To: <6a6ca81f77efe6af4090c91124626e79@posteo.net> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78225-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --------------p7V5n0Q3lBcYD0Iox0u0bE7h Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 03/05/2025 04:38, keinflue wrote: > Hello, > > noticed this on Guix (https://issues.guix.gnu.org/77862#5) with > coreutils 9.1 and also verified with latest release 9.7. > > When building and running the testsuite of coreutils on Linux in a user > namespace as unprivileged user the latter may fail chgrp test cases: > >> FAIL: tests/chgrp/default-no-deref.sh >> FAIL: tests/chgrp/no-x.sh >> FAIL: tests/chgrp/posix-H.sh >> FAIL: tests/chgrp/recurse.sh >> FAIL: tests/chgrp/basic.sh > > The cause for this are supplementary groups of the build process which > are not mapped in the user namespace via /proc/pid/gid_map. > > Inside the user namespace these groups are reported as the overflow gid > (by default 65534). require_membership_in_two_groups_ in init.cfg has no > exemption for this gid and the chgrp tests will attempt to change > ownership to this gid, assuming this to be valid as usually is the case > when changing ownership to a supplementary group. However, this is not > allowed for the unmapped overflow gid and the syscall will fail. > > The same problem occurs in gnulib-tests, but I suppose I should report > this to the bug-gnulib list. > > This was noticed during experimentation with Guix's new feature to run > the build daemon as unprivileged user process, which relies on > unprivileged user namespaces to construct the build container. As > discussed in the linked issue it isn't really an option to drop the > supplementary groups in this setting. > > I think the overflow gid should be exempt in > require_membership_in_two_groups_ as was already implemented for special > gids on MacOS. Thanks for the details. I pushed the attached to avoid this issue. Marking this as done. cheers, Padraig. --------------p7V5n0Q3lBcYD0Iox0u0bE7h Content-Type: text/x-patch; charset=UTF-8; name="tests-overflowgid.patch" Content-Disposition: attachment; filename="tests-overflowgid.patch" Content-Transfer-Encoding: base64 RnJvbSA2MjE4Y2IxOGIwYjdiZmRiNzhkYmRkMjBmM2M3Y2E1MTNiY2E5MTljIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/UD1DMz1BMWRyYWlnPTIwQnJhZHk/ PSA8UEBkcmFpZ0JyYWR5LmNvbT4KRGF0ZTogU2F0LCAzIE1heSAyMDI1IDA5OjU5OjE2ICsw MTAwClN1YmplY3Q6IFtQQVRDSF0gdGVzdHM6IGF2b2lkIGZhbHNlIGZhaWx1cmVzIGluIHVz ZXIgbmFtZXNwYWNlcwoKKiBpbml0LmNmZyAocmVxdWlyZV9tZW1iZXJzaGlwX2luX3R3b19n cm91cHNfKTogU2tpcApvdmVyZmxvdyBnaWRzIHVzZWQgaW4gdXNlciBuYW1lc3BhY2VzLCBh cyBvbmUgY2FuJ3QKY2hncnAoKSB0byB0aGVzZS4KRml4ZXMgaHR0cHM6Ly9idWdzLmdudS5v cmcvNzgyMjUKLS0tCiBpbml0LmNmZyB8IDYgKysrKystCiAxIGZpbGUgY2hhbmdlZCwgNSBp bnNlcnRpb25zKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEvaW5pdC5jZmcgYi9p bml0LmNmZwppbmRleCA3ZTIxZjk2YzYuLjk4MjQxODkwMCAxMDA2NDQKLS0tIGEvaW5pdC5j ZmcKKysrIGIvaW5pdC5jZmcKQEAgLTUwNCw2ICs1MDQsMTAgQEAgcmVxdWlyZV9tZW1iZXJz aGlwX2luX3R3b19ncm91cHNfKCkKIHsKICAgdGVzdCAkIyA9IDAgfHwgZnJhbWV3b3JrX2Zh aWx1cmVfCiAKKyAgIyBTa2lwIG92ZXJmbG93IGdpZHMgdXNlZCBpbiB1c2VyIG5hbWVzcGFj ZXMKKyAgb3ZlcmZsb3dfZ2lkPSQoY2F0IC9wcm9jL3N5cy9rZXJuZWwvb3ZlcmZsb3dnaWQg Mj4vZGV2L251bGwpCisgIDogIiR7b3ZlcmZsb3dfZ2lkOj0xfSIKKwogICBncm91cHM9CiAg IGZvciBncm91cF8gaW4gMSBcCiAgICAgJHtDT1JFVVRJTFNfR1JPVVBTLSQoIChpZCAtRyB8 fCAvdXNyL3hwZzQvYmluL2lkIC1HKSAyPi9kZXYvbnVsbCl9CkBAIC01MTEsNyArNTE1LDcg QEAgcmVxdWlyZV9tZW1iZXJzaGlwX2luX3R3b19ncm91cHNfKCkKICAgICAjIFNraXAgZ3Jv dXAgbnVtYmVycyBlcXVhbCB0byAyKipOIC0gMSBmb3IgY29tbW9uIE4sCiAgICAgIyBhcyB0 aGV5IGFyZSBwb3NzaWJseSByZXNlcnZlZCBncm91cHMgbGlrZSAnbm9ncm91cCcuCiAgICAg Y2FzZSAkZ3JvdXBfIGluCi0gICAgICAxIHwgMzI3NjcgfCA2NTUzNSB8IDIxNDc0ODM2NDcg fCA0Mjk0OTY3Mjk1KSA7OworICAgICAgJG92ZXJmbG93X2dpZCB8IDEgfCAzMjc2NyB8IDY1 NTM1IHwgMjE0NzQ4MzY0NyB8IDQyOTQ5NjcyOTUpIDs7CiAgICAgICA5MjIzMzcyMDM2ODU0 Nzc1ODA3IHwgMTg0NDY3NDQwNzM3MDk1NTE2MTUpIDs7CiAgICAgICAqKSB0ZXN0IC16ICIk Z3JvdXBzIiB8fCBncm91cHM9IiRncm91cHMgIgogICAgICAgICAgZ3JvdXBzPSIkZ3JvdXBz JGdyb3VwXyI7OwotLSAKMi40OS4wCgo= --------------p7V5n0Q3lBcYD0Iox0u0bE7h-- From unknown Sat Sep 13 15:28:11 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 31 May 2025 11:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator