GNU bug report logs -
#18994
Daemon does not preserve supplementary groups of build users
Previous Next
Reported by: ludo <at> gnu.org (Ludovic Courtès)
Date: Sat, 8 Nov 2014 14:03:01 UTC
Severity: normal
Fixed in version 0.8.3
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18994 in the body.
You can then email your comments to 18994 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#18994; Package
guix.
(Sat, 08 Nov 2014 14:03:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 08 Nov 2014 14:03:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Currently, the build environment made by the daemon does not preserve
supplementary groups of the build users.
Thus, even though the standalone Guix system sets /dev/kvm 660, owned by
root:kvm, and adds the build users to the kvm group, build users are
unable to access it.
This can be see with:
(gexp->derivation "foo"
#~(begin (mkdir #$output)(pk (stat:gid (stat "/dev/kvm")) (getgroups))))
The workaround for now is to make /dev/kvm 666.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#18994; Package
guix.
(Wed, 01 Jul 2015 09:14:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 18994 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) skribis:
> Currently, the build environment made by the daemon does not preserve
> supplementary groups of the build users.
>
> Thus, even though the standalone Guix system sets /dev/kvm 660, owned by
> root:kvm, and adds the build users to the kvm group, build users are
> unable to access it.
The following patch is an attempt to address this bug (see
<http://bugs.gnu.org/18994>) by preserving the supplementary groups of
build users in the build environment.
In practice, I would expect that supplementary groups would contain only
one or two groups: the build users group, and possibly the “kvm” group.
WDYT?
Thanks,
Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 85a818b..4644810 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -447,6 +447,7 @@ private:
string user;
uid_t uid;
gid_t gid;
+ std::vector<gid_t> supplementaryGIDs;
public:
UserLock();
@@ -460,6 +461,7 @@ public:
string getUser() { return user; }
uid_t getUID() { return uid; }
uid_t getGID() { return gid; }
+ std::vector<gid_t> getSupplementaryGIDs() { return supplementaryGIDs; }
bool enabled() { return uid != 0; }
@@ -539,6 +541,18 @@ void UserLock::acquire()
throw Error(format("the Nix user should not be a member of `%1%'")
% settings.buildUsersGroup);
+ /* Get the list of supplementary groups of this build user. This
+ is usually either empty or contains a group such as "kvm". */
+ supplementaryGIDs.resize(10);
+ int ngroups = supplementaryGIDs.size();
+ int err = getgrouplist(pw->pw_name, pw->pw_gid,
+ &supplementaryGIDs.at(0), &ngroups);
+ if (err == -1)
+ throw Error(format("failed to get list of supplementary groups for `%1'")
+ % pw->pw_name);
+
+ supplementaryGIDs.resize(ngroups);
+
return;
}
}
@@ -2179,8 +2193,11 @@ void DerivationGoal::runChild()
if (buildUser.enabled()) {
printMsg(lvlChatty, format("switching to user `%1%'") % buildUser.getUser());
- if (setgroups(0, 0) == -1)
- throw SysError("cannot clear the set of supplementary groups");
+ /* Preserve supplementary groups of the build user, to allow
+ admins to specify groups such as "kvm". */
+ if (setgroups(buildUser.getSupplementaryGIDs().size(),
+ &buildUser.getSupplementaryGIDs().at(0)) == -1)
+ throw SysError("cannot set supplementary groups of build user");
if (setgid(buildUser.getGID()) == -1 ||
getgid() != buildUser.getGID() ||
Information forwarded
to
bug-guix <at> gnu.org:
bug#18994; Package
guix.
(Wed, 01 Jul 2015 14:55:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 18994 <at> debbugs.gnu.org (full text, mbox):
Hi Eelco,
Eelco Dolstra <eelco.dolstra <at> logicblox.com> skribis:
> On 01/07/15 11:12, Ludovic Courtès wrote:
>
>>> Currently, the build environment made by the daemon does not preserve
>>> supplementary groups of the build users.
>>>
>>> Thus, even though the standalone Guix system sets /dev/kvm 660, owned by
>>> root:kvm, and adds the build users to the kvm group, build users are
>>> unable to access it.
>>
>> The following patch is an attempt to address this bug (see
>> <http://bugs.gnu.org/18994>) by preserving the supplementary groups of
>> build users in the build environment.
>>
>> In practice, I would expect that supplementary groups would contain only
>> one or two groups: the build users group, and possibly the “kvm” group.
>
> Applied, thanks!
Excellent, thank you!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#18994; Package
guix.
(Wed, 01 Jul 2015 15:31:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 18994 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
On 01/07/15 11:12, Ludovic Courtès wrote:
>> Currently, the build environment made by the daemon does not preserve
>> supplementary groups of the build users.
>>
>> Thus, even though the standalone Guix system sets /dev/kvm 660, owned by
>> root:kvm, and adds the build users to the kvm group, build users are
>> unable to access it.
>
> The following patch is an attempt to address this bug (see
> <http://bugs.gnu.org/18994>) by preserving the supplementary groups of
> build users in the build environment.
>
> In practice, I would expect that supplementary groups would contain only
> one or two groups: the build users group, and possibly the “kvm” group.
Applied, thanks!
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
Information forwarded
to
bug-guix <at> gnu.org:
bug#18994; Package
guix.
(Wed, 01 Jul 2015 21:12:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 18994 <at> debbugs.gnu.org (full text, mbox):
Charles Strahan <notifications <at> github.com> skribis:
> Is there any reason we immediately throw here, instead of checking `ngroups`, resizing the buffer accordingly, and then rerunning `getgrouplist`? I would think that would be a bit more robust.
Sorry, could you quote the code you’re referring to?
If you talking about the ‘getgrouplist’ call, maybe we could do that,
but we would still need to put a hard limit on the maximum number of
groups anyway.
WDYT?
Thanks,
Ludo’.
PS: Please keep 18994 <at> debbugs.gnu.org Cc’d.
bug marked as fixed in version 0.8.3, send any further explanations to
18994 <at> debbugs.gnu.org and ludo <at> gnu.org (Ludovic Courtès)
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Wed, 19 Aug 2015 23:03:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 17 Sep 2015 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 224 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.