unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: 35662@debbugs.gnu.org
Subject: bug#35662: Really relocatable binaries crash with Permission denied
Date: Fri, 10 May 2019 00:01:36 +0200	[thread overview]
Message-ID: <20190509220136.tli7um2heocifrpq@pelzflorian.localdomain> (raw)

The manual gives the following example of guix pack -RR:

      guix pack -RR -S /mybin=bin bash
      tar xf pack.tar.gz
      ./mybin/sh

This fails on my university’s server for students which uses Linux
container “VMs” with Ubuntu and has no user namespace support and Guix
is not installed.  This single line is all output:

$ ./mybin/sh
sh: run.c:162: bind_mount: Unexpected error: Permission denied.

Note that

PROOT_NO_SECCOMP=1 ~/gnu/store/iyd2ikxadcp89j5919pwja6swnx00493-proot-static-5.1.0/bin/proot -w $(pwd | sed 's/${HOME}//') -r ${HOME} -b /proc /mybin/sh

works just fine (inspired by
<https://guix-hpc.bordeaux.inria.fr/blog/2017/10/using-guix-without-being-root/>).

For testing purposes, I compile the wrapper
gnu/packages/aux-files/run-in-namespace.c:

sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.c
sed -i 's|@WRAPPED_PROGRAM@|/mybin/sh|g' run-in-namespace.c
gcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.c
scp run-in-namespace.c a.out … # upload it to the university server
ssh …
gdb a.out
[…]
(gdb) break main
Breakpoint 1 at 0x401ea1: file run-in-namespace.c, line 260.
(gdb) run
Starting program: /home/f_pelz12/a.out 

Breakpoint 1, main (argc=1, argv=0x7fffffffe818) at run-in-namespace.c:260
260	  size = readlink ("/proc/self/exe", self, sizeof self - 1);
(gdb) next
261	  assert (size > 0);
(gdb) 
265	  size_t index = strlen (self)
(gdb) 
268	  char *store = strdup (self);
(gdb) 
269	  store[index] = '\0';
(gdb) 
277	  if (strcmp (store, "/gnu/store") != 0
(gdb) 
278	      && lstat ("/mybin/sh", &statbuf) != 0)
(gdb) 
283	      char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));
(gdb) 
284	      char *new_store = concat (new_root, "/gnu/store");
(gdb) 
285	      char *cwd = get_current_dir_name ();
(gdb) 
292	      pid_t child = syscall (SYS_clone, SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER,
(gdb) 
[Detaching after fork from child process 12748]
294	      switch (child)
(gdb) a.out: run-in-namespace.c:162: bind_mount: Unexpected error: Permission denied.

337		    disallow_setgroups (child);
(gdb) 
a.out: run-in-namespace.c:205: disallow_setgroups: Unexpected error: Permission denied.

Program received signal SIGABRT, Aborted.
0x000000000040796f in raise ()

I do not know how to break into the detached child’s bind_mount call,
so I am unable to give details on this bind_mount error (I do not know
if the bind_mount really is the cause of the crash; it is futile
anyway and the binary should just try proot after all and not crash
before).  A breakpoint from `break bind_mount` is ignored.  Can I get
more information out of this somehow?

For completeness:
$ uname -a
Linux tux6 4.15.18-14-pve #1 SMP PVE 4.15.18-38 (Tue, 30 Apr 2019 10:51:33 +0200) x86_64 x86_64 x86_64 GNU/Linux

Regards,
Florian

             reply	other threads:[~2019-05-09 22:03 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-09 22:01 pelzflorian (Florian Pelz) [this message]
2019-05-10  5:54 ` bug#35662: Really relocatable binaries crash with Permission denied pelzflorian (Florian Pelz)
2019-05-10 21:50 ` Ludovic Courtès
2019-05-11  5:05   ` pelzflorian (Florian Pelz)
2019-05-13  7:49     ` Ludovic Courtès
2019-05-13 10:34       ` pelzflorian (Florian Pelz)
2019-05-13 13:54         ` Ludovic Courtès
2019-05-13 15:17           ` pelzflorian (Florian Pelz)
2019-05-13 20:39             ` Ludovic Courtès
2019-05-13 20:45               ` pelzflorian (Florian Pelz)
2019-05-14  8:05                 ` pelzflorian (Florian Pelz)
2019-05-14 20:43                   ` Ludovic Courtès
2019-05-14 21:04                     ` pelzflorian (Florian Pelz)
2019-05-15 16:15                       ` Ludovic Courtès
2019-05-15 15:20                     ` Giovanni Biscuolo
2019-05-16 11:02                       ` pelzflorian (Florian Pelz)
2019-05-16 11:10                         ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190509220136.tli7um2heocifrpq@pelzflorian.localdomain \
    --to=pelzflorian@pelzflorian.de \
    --cc=35662@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).