Re: “guix system container” script must run as root

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: “guix system container” script must run as root

From:	Ricardo Wurmus
Subject:	Re: “guix system container” script must run as root
Date:	Tue, 09 Aug 2022 18:23:14 +0200
User-agent:	mu4e 1.8.7; emacs 28.1

Ricardo Wurmus <rekado@elephly.net> writes:

> Hi Guix,
>
> I see that the container script generated by “guix system container”
> must be run as root.  Looking at “initialize-user-namespace” in (gnu
> build linux-container) there is conditional code to be executed only
> when running as an unprivileged user, namely writing to
> /proc/pid/setgroups.  This makes me think that this was originally meant
> to be usable without root privileges.
>
> Without root privileges write access to /proc/pid/* is denied.  The
> child process here is the result of issuing a clone syscall.
>
> Why can’t the parent process write to the child’s /proc/pid/* files?

“man 7 user_namespaces” explains what conditions must be met for a
parent process to write to /proc/childpid/uid_map.  There are many
conditions that could lead to EPERM.  It seems that writing to
/proc/pid/setgroups succeeds and only writing to uid_map and gid_map
fails.

The parent process should be able to write to these files at least
once; as the parent it should have the capabilities CAP_SETUID and
CAP_SETGID in the child process namespace.

-- 
Ricardo

[Prev in Thread]

Current Thread

[Next in Thread]

“guix system container” script must run as root, Ricardo Wurmus, 2022/08/09
- Re: “guix system container” script must run as root, Ricardo Wurmus <=

Prev by Date: Re: [PATCH] doc: Update contribution guidelines on patches, etc.
Next by Date: Re: [PATCH] doc: Update contribution guidelines on patches, etc.
Previous by thread: “guix system container” script must run as root
Next by thread: [POSTMORTEM] Subkey is not authorized by .guix-authorizations
Index(es):
- Date
- Thread