From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id EJFwG4b3xmO6gwEAbAwnHQ (envelope-from ) for ; Tue, 17 Jan 2023 20:31:18 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 2MGgGob3xmMhCAAAG6o9tA (envelope-from ) for ; Tue, 17 Jan 2023 20:31:18 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 45B992F739 for ; Tue, 17 Jan 2023 20:31:18 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pHrfk-0002dR-4p; Tue, 17 Jan 2023 14:31:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHrfi-0002Zj-7v for bug-guix@gnu.org; Tue, 17 Jan 2023 14:31:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pHrfh-00083B-VL for bug-guix@gnu.org; Tue, 17 Jan 2023 14:31:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pHrfh-0001iG-Os for bug-guix@gnu.org; Tue, 17 Jan 2023 14:31:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 17 Jan 2023 19:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60890 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 60890@debbugs.gnu.org X-Debbugs-Original-To: bug-guix Received: via spool by submit@debbugs.gnu.org id=B.16739838126522 (code B ref -1); Tue, 17 Jan 2023 19:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2023 19:30:12 +0000 Received: from localhost ([127.0.0.1]:38316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHreu-0001h7-Ef for submit@debbugs.gnu.org; Tue, 17 Jan 2023 14:30:12 -0500 Received: from lists.gnu.org ([209.51.188.17]:59748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHreq-0001gx-Ro for submit@debbugs.gnu.org; Tue, 17 Jan 2023 14:30:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHreq-0002I3-K7 for bug-guix@gnu.org; Tue, 17 Jan 2023 14:30:08 -0500 Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pHreo-0007tT-HT for bug-guix@gnu.org; Tue, 17 Jan 2023 14:30:07 -0500 Received: by mail-qt1-x832.google.com with SMTP id fd15so18127848qtb.9 for ; Tue, 17 Jan 2023 11:30:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=; b=XclS+R1r14kMy62FxWDDnRE5qpZwtoeNqBNK4OT6Bc9tE+ZqQa/NYUfaAyCyv9/MJ+ bAFtUAIe8+Owt9em5hP8QnNjOfJdly47O0RMLAJDVIRSFeeLNja5MdqsRT/qgGrAjmfR mIxQP+gK3VaXD2PX8tI/XEvxn1KP+/GpPiNG84otNp8f+rdxSnl3fSxpFQlGk4MvKKbL 86jkiQc/t5fTc/fexFfArqpedeeHqZiTJK4X1nOa9NYngQwKxwxw/QopPVPi+hRNTuJY RzdmfY1FsJVPFJ0MHN4GgSiGDtzgs0n+8EGYdbgl/yFM5lO/mNPsEMBN8Lb6PagtCZuy 2klw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uEPMqzK3Q0WgY8ErsaIPWWCCoMNTMUhBImGpi+UgCho=; b=kcFSJIbS56NTUMITdBZvpIfhO7NVI3WwG0RrjfxK7y6PCefCMBymxC4j5fYP30QPUl e+ts0rgkn/STY6m+duZDBsI5IkRr24xemUPqrPpsZvy3z3bnavfvRsMSKjL0suH06xhJ 12oCtzfbX+la9IDmQL4xhlPMsMolVK3pCN1vIUs/5EEACLEmw8imwS+3Uj7Gne+TXEEk FddgymXyOGveqDE9mkWZxFsglCOppIen28wjTEeSG/PU9kK6PMIa2sIS2x8i2L+JofEw 85rNL5Onla82GilUsfk7hyEx/PsHjtEvJ7XELl3rcNA1fi0n+A7ZS4Lj5MUGa+/XJoGb jGZw== X-Gm-Message-State: AFqh2krYP/Hz9Us6DrLOtPdPTqvs2aRoGVekf/Y7uyKiwsrgTjQOs7WG Tnij2J0W6mIw7fQsyKN98dmLzT7D5joTVuDT X-Google-Smtp-Source: AMrXdXt8LGxuUaJGQ/WEcJaKKwZXMvP1RXFhh/N5wy+cgvo7ERT6BBLMZUltaZ0EQYAh4KTb9W5Q/A== X-Received: by 2002:ac8:70cc:0:b0:3b6:3b8d:f24f with SMTP id g12-20020ac870cc000000b003b63b8df24fmr6029210qtp.56.1673983805304; Tue, 17 Jan 2023 11:30:05 -0800 (PST) Received: from hurd (dsl-205-233-125-107.b2b2c.ca. [205.233.125.107]) by smtp.gmail.com with ESMTPSA id fg13-20020a05622a580d00b003a6a92a202esm16481036qtb.83.2023.01.17.11.30.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Jan 2023 11:30:04 -0800 (PST) From: Maxim Cournoyer Date: Tue, 17 Jan 2023 14:30:03 -0500 Message-ID: <87zgahyn5w.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::832; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x832.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-TUID: jXz3zKBUzMGo Hi, I'm creating a bug to keep track of a problem that was uncovered when attempting to migrate the jami-service-type service to use the least-authority-wrapper [0], to avoid forgetting about it. It was found that using something like: --8<---------------cut here---------------start------------->8--- (make-forkexec-constructor (least-authority (list (file-append coreutils "/bin/true")) (mappings (delq 'user %namespaces)) #:user "nobody" #:group "nobody")) --8<---------------cut here---------------end--------------->8--- Would fail with EPERM, because in order to be able to drop the user namespace, the CAP_SYS_ADMIN capability is required, but in the above case, make-forkexec-constructor has already changed the user to "nobody", which lacks such capability. The solution proposed by Ludovic in would be to [1]: > [...] add #:user and #:group to =E2=80=98least-authority-wrapper=E2=80=99= and > have it call setuid/setgid. =E2=80=98make-forkexec-constructor=E2=80=99 = doesn=E2=80=99t need to > be modified, but the user simply won=E2=80=99t pass #:user and #:group to= it. [0] https://issues.guix.gnu.org/54786#16 [1] https://issues.guix.gnu.org/54786#17 --=20 Thanks, Maxim