X-Loop: help-debbugs@HIDDEN Subject: bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem Resent-From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: bug-guix@HIDDEN Resent-Date: Tue, 17 Jan 2023 19:31:01 +0000 Resent-Message-ID: <handler.60890.B.16739838126522 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: report 60890 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 60890 <at> debbugs.gnu.org X-Debbugs-Original-To: bug-guix <bug-guix@HIDDEN> Received: via spool by submit <at> debbugs.gnu.org id=B.16739838126522 (code B ref -1); Tue, 17 Jan 2023 19:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2023 19:30:12 +0000 Received: from localhost ([127.0.0.1]:38316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pHreu-0001h7-Ef for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:12 -0500 Received: from lists.gnu.org ([209.51.188.17]:59748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1pHreq-0001gx-Ro for submit <at> debbugs.gnu.org; Tue, 17 Jan 2023 14:30:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1pHreq-0002I3-K7 for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:08 -0500 Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1pHreo-0007tT-HT for bug-guix@HIDDEN; Tue, 17 Jan 2023 14:30:07 -0500 Received: by mail-qt1-x832.google.com with SMTP id fd15so18127848qtb.9 for <bug-guix@HIDDEN>; Tue, 17 Jan 2023 11:30:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=; b=XclS+R1r14kMy62FxWDDnRE5qpZwtoeNqBNK4OT6Bc9tE+ZqQa/NYUfaAyCyv9/MJ+ bAFtUAIe8+Owt9em5hP8QnNjOfJdly47O0RMLAJDVIRSFeeLNja5MdqsRT/qgGrAjmfR mIxQP+gK3VaXD2PX8tI/XEvxn1KP+/GpPiNG84otNp8f+rdxSnl3fSxpFQlGk4MvKKbL 86jkiQc/t5fTc/fexFfArqpedeeHqZiTJK4X1nOa9NYngQwKxwxw/QopPVPi+hRNTuJY RzdmfY1FsJVPFJ0MHN4GgSiGDtzgs0n+8EGYdbgl/yFM5lO/mNPsEMBN8Lb6PagtCZuy 2klw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=; b=kcFSJIbS56NTUMITdBZvpIfhO7NVI3WwG0RrjfxK7y6PCefCMBymxC4j5fYP30QPUl e+ts0rgkn/STY6m+duZDBsI5IkRr24xemUPqrPpsZvy3z3bnavfvRsMSKjL0suH06xhJ 12oCtzfbX+la9IDmQL4xhlPMsMolVK3pCN1vIUs/5EEACLEmw8imwS+3Uj7Gne+TXEEk FddgymXyOGveqDE9mkWZxFsglCOppIen28wjTEeSG/PU9kK6PMIa2sIS2x8i2L+JofEw 85rNL5Onla82GilUsfk7hyEx/PsHjtEvJ7XELl3rcNA1fi0n+A7ZS4Lj5MUGa+/XJoGb jGZw== X-Gm-Message-State: AFqh2krYP/Hz9Us6DrLOtPdPTqvs2aRoGVekf/Y7uyKiwsrgTjQOs7WG Tnij2J0W6mIw7fQsyKN98dmLzT7D5joTVuDT X-Google-Smtp-Source: AMrXdXt8LGxuUaJGQ/WEcJaKKwZXMvP1RXFhh/N5wy+cgvo7ERT6BBLMZUltaZ0EQYAh4KTb9W5Q/A== X-Received: by 2002:ac8:70cc:0:b0:3b6:3b8d:f24f with SMTP id g12-20020ac870cc000000b003b63b8df24fmr6029210qtp.56.1673983805304; Tue, 17 Jan 2023 11:30:05 -0800 (PST) Received: from hurd (dsl-205-233-125-107.b2b2c.ca. [205.233.125.107]) by smtp.gmail.com with ESMTPSA id fg13-20020a05622a580d00b003a6a92a202esm16481036qtb.83.2023.01.17.11.30.04 for <bug-guix@HIDDEN> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Jan 2023 11:30:04 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Date: Tue, 17 Jan 2023 14:30:03 -0500 Message-ID: <87zgahyn5w.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::832; envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qt1-x832.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) Hi, I'm creating a bug to keep track of a problem that was uncovered when attempting to migrate the jami-service-type service to use the least-authority-wrapper [0], to avoid forgetting about it. It was found that using something like: --8<---------------cut here---------------start------------->8--- (make-forkexec-constructor (least-authority (list (file-append coreutils "/bin/true")) (mappings (delq 'user %namespaces)) #:user "nobody" #:group "nobody")) --8<---------------cut here---------------end--------------->8--- Would fail with EPERM, because in order to be able to drop the user namespace, the CAP_SYS_ADMIN capability is required, but in the above case, make-forkexec-constructor has already changed the user to "nobody", which lacks such capability. The solution proposed by Ludovic in would be to [1]: > [...] add #:user and #:group to =E2=80=98least-authority-wrapper=E2=80=99= and > have it call setuid/setgid. =E2=80=98make-forkexec-constructor=E2=80=99 = doesn=E2=80=99t need to > be modified, but the user simply won=E2=80=99t pass #:user and #:group to= it. [0] https://issues.guix.gnu.org/54786#16 [1] https://issues.guix.gnu.org/54786#17 --=20 Thanks, Maxim
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: bug#60890: Acknowledgement (least-authority-wrapper and make-forkexec-constructor composition problem) Message-ID: <handler.60890.B.16739838126522.ack <at> debbugs.gnu.org> References: <87zgahyn5w.fsf@HIDDEN> X-Gnu-PR-Message: ack 60890 X-Gnu-PR-Package: guix Reply-To: 60890 <at> debbugs.gnu.org Date: Tue, 17 Jan 2023 19:31:01 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 60890 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 60890: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D60890 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.