From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 05:00:03 2025 Received: (at submit) by debbugs.gnu.org; 5 May 2025 09:00:03 +0000 Received: from localhost ([127.0.0.1]:38584 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBrgA-0003KE-0X for submit@debbugs.gnu.org; Mon, 05 May 2025 05:00:03 -0400 Received: from lists.gnu.org ([2001:470:142::17]:37028) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBrg6-0003JU-Oe for submit@debbugs.gnu.org; Mon, 05 May 2025 04:59:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBrfx-0000h2-2n for guix-patches@gnu.org; Mon, 05 May 2025 04:59:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBrfv-0004q9-Nw; Mon, 05 May 2025 04:59:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=PuhvjVuCgZBnFKg+jFL1gqNjlaO4qtcGPbiL8Xes71U=; b=dumpjpGoaaGpXi fvgFMO3nx5dpBbn1eGCXbX3feuWnOFI3NvAcO7KAwsJLgmdBAl46BycjSH19VKEJ+pncI2teT1GjS EMV0txmpdiLyGNGMvM+mkR1Lk9t1qYGz1MokwRv/qpBiQIX29QkA9AW6fJevd5nhSUjNRVWY3cHXF LSIVC0ea0Wm8siJ3x4iqww5RIDyzpyHF6/MKIxurm7VLTvapuieoMwL3PjcaDfXIbkxoHc5mx7fbY sRq8pjYbBR3/r8tFdoLJ4I0AL9sR81ARl3di6h/Yj+RLkQDRtr3f9eE0sY61G6jO0l9Pc9tXtqHve kw8pTqlbBxSAB9q0uJQA==; From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd. Date: Mon, 5 May 2025 10:59:34 +0200 Message-ID: <30197546d98c6e9527ce2b92a47c1457a1ced673.1746392495.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit Cc: keinflue , =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) Partly fixes . * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New functions. (DerivationGoal::startBuilder): Use them to populate /etc/passwd when ‘buildUser.enabled()’ is false. Reported-by: keinflue Change-Id: I695c697629c739d096933274c1c8a70d08468d4a --- nix/libstore/build.cc | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index a1f39d9a8b..773dcf1a01 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -1646,6 +1647,36 @@ static void initializeUserNamespace(pid_t child, (format("%d %d 1") % guestGID % hostGID).str()); } +/* Return the content of FILE as an integer, or DFLT if FILE could not be + opened or parsed. */ +static unsigned int fileContent(const std::string &file, int dflt) +{ + AutoCloseFD fd; + fd = open(file.c_str(), O_RDONLY|O_CLOEXEC); + if (fd == -1) + return dflt; + else { + char buf[64]; + ssize_t count = read (fd, buf, sizeof buf); + if (count <= 0) return dflt; + + unsigned int result = dflt; + std::string str = buf; + try { result = std::stoi(str); } catch (...) {}; + return result; + } +} + +static uid_t overflowUID() +{ + return fileContent("/proc/sys/kernel/overflowuid", 65534); +} + +static gid_t overflowGID() +{ + return fileContent("/proc/sys/kernel/overflowgid", 65534); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1846,9 +1877,11 @@ void DerivationGoal::startBuilder() writeFile(chrootRootDir + "/etc/passwd", (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" - "nobody:x:65534:65534:Nobody:/:/noshell\n") + "nobody:x:%3%:%4%:Nobody:/:/noshell\n") % (buildUser.enabled() ? buildUser.getUID() : guestUID) - % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); + % (buildUser.enabled() ? buildUser.getGID() : guestGID) + % (buildUser.enabled() ? 65534 : overflowUID()) + % (buildUser.enabled() ? 65534 : overflowGID())).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ base-commit: c2c4bc8758616ebc0148e1bce9311a80658ace88 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 06:44:16 2025 Received: (at submit) by debbugs.gnu.org; 5 May 2025 10:44:16 +0000 Received: from localhost ([127.0.0.1]:39027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBtJ1-0000VQ-It for submit@debbugs.gnu.org; Mon, 05 May 2025 06:44:16 -0400 Received: from lists.gnu.org ([2001:470:142::17]:51328) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBtIz-0000V4-Gi for submit@debbugs.gnu.org; Mon, 05 May 2025 06:44:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBtIt-0006ee-P5 for guix-patches@gnu.org; Mon, 05 May 2025 06:44:07 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBtIr-0003bR-9S for guix-patches@gnu.org; Mon, 05 May 2025 06:44:07 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id D24C2240103 for ; Mon, 5 May 2025 12:43:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1746441839; bh=JnBtf8PWJ9cZObVcwnoKwPxyTjwODgN8jYSVSbPazr8=; h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:From; b=Y2pKur929LegyVEBvR+T1oFADPL7j5rCAFB/pL7Jr0+qB6fcYaOkqmrdekDqHl5xy DLvK+Ah8Bd76TB4H76yn5XhOQORMPOqeQuoyYO4sNcppo5mlHWewaTi87teAqqPk2t 7SAnnyJFrwiRMQzB/v+XoIgcpsyHjbmfVsyji3ycFqt03F3nZHD4auxNaGIwV4jINZ zfzIMAEDEfzGj2HP8qYLspb0V/FUI7hcztb65Qw7Vs3v3JT8Y612fE8qu3G/63MQ2l dKlOS77mgqa9dPNN66YjUx/w0SuAZ3oPdcPK1gM5qcUcEj21KhRIg2/xdE2iQ+2dA+ mh8LfRPnz0Q5Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZrdRz2SRYz6tvZ; Mon, 5 May 2025 12:43:59 +0200 (CEST) MIME-Version: 1.0 Date: Mon, 05 May 2025 10:43:59 +0000 From: keinflue To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Subject: Re: [PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd. In-Reply-To: <30197546d98c6e9527ce2b92a47c1457a1ced673.1746392495.git.ludo@gnu.org> References: <30197546d98c6e9527ce2b92a47c1457a1ced673.1746392495.git.ludo@gnu.org> Message-ID: <7c9d63b0990786bcff7548a9f0c58506@posteo.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.67.36.66; envelope-from=keinflue@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL_A=0.1 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 05.05.2025 10:59, Ludovic Courtès wrote: > Partly fixes . > > * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New > functions. > (DerivationGoal [...] Content analysis details: (1.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist [URIs: build.cc] 0.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist [URIs: build.cc] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Debbugs-Envelope-To: submit Cc: guix-patches@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) On 05.05.2025 10:59, Ludovic Court=C3=A8s wrote: > Partly fixes . >=20 > * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New > functions. > (DerivationGoal::startBuilder): Use them to populate /etc/passwd when > =E2=80=98buildUser.enabled()=E2=80=99 is false. >=20 > Reported-by: keinflue > Change-Id: I695c697629c739d096933274c1c8a70d08468d4a > --- > nix/libstore/build.cc | 37 +++++++++++++++++++++++++++++++++++-- > 1 file changed, 35 insertions(+), 2 deletions(-) >=20 > diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc > index a1f39d9a8b..773dcf1a01 100644 > --- a/nix/libstore/build.cc > +++ b/nix/libstore/build.cc > @@ -13,6 +13,7 @@ > #include > #include > #include > +#include >=20 > #include > #include > @@ -1646,6 +1647,36 @@ static void initializeUserNamespace(pid_t child, > (format("%d %d 1") % guestGID % hostGID).str()); > } >=20 > +/* Return the content of FILE as an integer, or DFLT if FILE could not= =20 > be > + opened or parsed. */ > +static unsigned int fileContent(const std::string &file, int dflt) I think dflt should also be unsigned here? (I don't think POSIX=20 specifies signdness of the ids, but they are unsigned on Linux.) > +{ > + AutoCloseFD fd; > + fd =3D open(file.c_str(), O_RDONLY|O_CLOEXEC); > + if (fd =3D=3D -1) > + return dflt; > + else { > + char buf[64]; > + ssize_t count =3D read (fd, buf, sizeof buf); I am not sure it can happen in the /proc file system, but generally=20 there is no guarantee that this will read the whole file even if it is=20 smaller than the buffer size. The read may return with partial result on=20 a signal and EINTR may also occur. > + if (count <=3D 0) return dflt; > + > + unsigned int result =3D dflt; > + std::string str =3D buf; buf is not null-terminated, but this constructor of std::string requires=20 a null-terminated byte string as argument. std::string has another=20 constructor that takes a count: std::string str(buf, count); > + try { result =3D std::stoi(str); } catch (...) {}; std::stoi converts to signed int. It will throw for the upper half of=20 valid uids/gids and it will accept negative values. I'd recommend to use=20 std::stoll instead and to make result have type signed long long. Then=20 at the end of the function it is possible to check the values range if=20 desired: if(result < 0 || result > std::numeric_limits::max()) return dlft; else return result; > + return result; > + } > +} > + > +static uid_t overflowUID() > +{ > + return fileContent("/proc/sys/kernel/overflowuid", 65534); > +} > + > +static gid_t overflowGID() > +{ > + return fileContent("/proc/sys/kernel/overflowgid", 65534); > +} > + > void DerivationGoal::startBuilder() > { > auto f =3D format( > @@ -1846,9 +1877,11 @@ void DerivationGoal::startBuilder() > writeFile(chrootRootDir + "/etc/passwd", > (format( > "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" > - "nobody:x:65534:65534:Nobody:/:/noshell\n") > + "nobody:x:%3%:%4%:Nobody:/:/noshell\n") > % (buildUser.enabled() ? buildUser.getUID() :=20 > guestUID) > - % (buildUser.enabled() ? buildUser.getGID() : > guestGID)).str()); > + % (buildUser.enabled() ? buildUser.getGID() :=20 > guestGID) > + % (buildUser.enabled() ? 65534 : overflowUID()) > + % (buildUser.enabled() ? 65534 : overflowGID())).str()); >=20 > /* Declare the build user's group so that programs get a=20 > consistent > view of the system (e.g., "id -gn"). */ >=20 > base-commit: c2c4bc8758616ebc0148e1bce9311a80658ace88 In general, after some more thoughts about it, I am not really sure that=20 the ids of "nobody" must reflect the overflowids. It seems that this=20 user/group name has/had multiple different purposes and it is not clear=20 to me which one exactly is intended for the build environment. Best, keinflue From debbugs-submit-bounces@debbugs.gnu.org Fri May 23 05:34:53 2025 Received: (at 78256) by debbugs.gnu.org; 23 May 2025 09:34:53 +0000 Received: from localhost ([127.0.0.1]:45725 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uIOnk-0000Yd-UV for submit@debbugs.gnu.org; Fri, 23 May 2025 05:34:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33632) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uIOng-0000Y1-8s for 78256@debbugs.gnu.org; Fri, 23 May 2025 05:34:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uIOna-0005aQ-JH; Fri, 23 May 2025 05:34:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=c7seOpe+eBtDvoapr93P0bsLA9848TryTIEHn4t6Ndc=; b=HJb2yPXWObdAtDDgLe41 cGtTUBK/3gPNoD+W6SoFaaEW7pzAUWgqbwZaW1/0VgAgQvvwP5K0HWyLNEhAGrYr4LLgIDRjk53Ux 5315TrOQLsQQRsPm2rtUffJ8uN0w6HluyyiAJ44y69MPbg4LDB0fGtxqpB64WomAeB/lqae3qTU89 z469EicpHW+057OI+ESSDcmnh4SIqJ+sY9XnQiZErT8dIm+TPZL68K0pTPS0izr1KJ6/GjUbFj4T6 AlYYuIAQwGxBEJ6qxS0ZAajCB6SNTognWIroecjYtmZBUZQj2SrOuScrYnpCJaZnLXWvfXkYCqyXv YUJ/R4yqJrvH2g==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: keinflue Subject: Re: [bug#78256] [PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd. In-Reply-To: <7c9d63b0990786bcff7548a9f0c58506@posteo.net> (keinflue@posteo.net's message of "Mon, 05 May 2025 10:43:59 +0000") References: <30197546d98c6e9527ce2b92a47c1457a1ced673.1746392495.git.ludo@gnu.org> <7c9d63b0990786bcff7548a9f0c58506@posteo.net> Date: Fri, 23 May 2025 11:26:12 +0200 Message-ID: <87v7pr1xvv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78256 Cc: 78256@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, keinflue writes: > On 05.05.2025 10:59, Ludovic Court=C3=A8s wrote: >> Partly fixes . >> * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New >> functions. >> (DerivationGoal::startBuilder): Use them to populate /etc/passwd when >> =E2=80=98buildUser.enabled()=E2=80=99 is false. >> Reported-by: keinflue >> Change-Id: I695c697629c739d096933274c1c8a70d08468d4a Thanks for your comments on the C++ code. > In general, after some more thoughts about it, I am not really sure > that the ids of "nobody" must reflect the overflowids. It seems that > this user/group name has/had multiple different purposes and it is not > clear to me which one exactly is intended for the build environment. Yeah actually I wonder. I think the main goal here was to have an entry for =E2=80=9Cnobody=E2=80=9D in /etc/passwd, probably because there exists = code out there that assumes that =E2=80=9Cnobody=E2=80=9D exists, but most likely it= s UID doesn=E2=80=99t matter much. Build processes can see files whose group is the overflow GID (as we=E2=80= =99ve discussed regarding supplementary groups) but I believe it cannot see file whose owner is the overflow UID, right? In that case, this patch doesn=E2=80=99t even provide a useful UID-to-name mapping. Thanks, Ludo=E2=80=99.