From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id JLITCSbxzl82EQAA0tVLHw (envelope-from ) for ; Tue, 08 Dec 2020 03:21:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id OG5fBCbxzl85dAAAbx9fmQ (envelope-from ) for ; Tue, 08 Dec 2020 03:21:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CE34894043A for ; Tue, 8 Dec 2020 03:21:09 +0000 (UTC) Received: from localhost ([::1]:51416 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmTYp-0005rZ-03 for larch@yhetil.org; Mon, 07 Dec 2020 22:21:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40104) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmTYM-0005rO-HF for guix-devel@gnu.org; Mon, 07 Dec 2020 22:20:38 -0500 Received: from imta-37.everyone.net ([216.200.145.37]:35174 helo=imta-38.everyone.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmTYJ-0003Tb-Vc; Mon, 07 Dec 2020 22:20:38 -0500 Received: from pps.filterd (localhost.localdomain [127.0.0.1]) by imta-38.everyone.net (8.16.0.43/8.16.0.43) with SMTP id 0B839G0n002391; Mon, 7 Dec 2020 19:20:18 -0800 X-Eon-Originating-Account: XivdGZz5znCXX-kWuCVnot0OGs_OZELaZHjgjE1qIcA X-Eon-Dm: m0117124.ppops.net Received: by m0117124.mta.everyone.net (EON-AUTHRELAY2 - 5a81d273) id m0117124.5f8a0284.9f0d35; Mon, 7 Dec 2020 19:20:16 -0800 X-Eon-Sig: AQMHrIJfzvDw04uhBwIAAAAI,7e3c0baf5ea75113f5113b9fab91433c X-Eip: OakTsfDGRJ0ZnHoEjRDVDE5xNCas0EYVVCmT-B3itoc Date: Tue, 8 Dec 2020 04:20:05 +0100 From: Bengt Richter To: Vagrant Cascadian Subject: Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? Message-ID: <20201208032005.GA14866@LionPure> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <86ft4h5xjz.fsf@gmail.com> <87eek1sdpo.fsf@yucca> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87eek1sdpo.fsf@yucca> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-07_19:2020-12-04, 2020-12-07 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 bulkscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1034 mlxscore=0 suspectscore=0 priorityscore=1501 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012080019 Received-SPF: pass client-ip=216.200.145.37; envelope-from=bokr@oz.net; helo=imta-38.everyone.net X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Cc: 45069@debbugs.gnu.org, Jesse Dowell , Paul Garlick , Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: 0.70 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: CE34894043A X-Spam-Score: 0.70 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: CWtyx0tGcgMN Hi Vagrant, On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote: > On 2020-12-07, zimoun wrote: > > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: > > > >>> Can you try, as root on Guix System: > >>> > >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone > >> > >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory > > > > In gnu/build/linux-container.scm, it reads: > > > > --8<---------------cut here---------------start------------->8--- > > (define (unprivileged-user-namespace-supported?) > > "Return #t if user namespaces can be created by unprivileged users." > > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) > > (if (file-exists? userns-file) > > (eqv? #\1 (call-with-input-file userns-file read-char)) > > #t))) > > --8<---------------cut here---------------end--------------->8--- > > > > Does it mean that the Linux kernel on Guix System does not support > > namespaces by unprivileged users? > > > Turning #t to #f should work on Guix System and it appears to me a > > severe bug if not. What do I miss? Please could someone fill my gap? :-) > > The /proc/sys/kernel_unprivileged_userns_clone file is specific to > Debian and Ubuntu packaged linux kernel; it is a patchset not applied > upstream, as far as I am aware. I'm not sure if other distros support > disabling and enabling this feature using this mechanism. > > https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch > > live well, and as virtuously as you are able ... so that spies can't help but admire and reflect :) > vagrant Another data point FYI: On my pureos system, which is based on debian upstream: uname -a =-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux and ls -l /proc/sys/kernel/unprivileged_userns_clone -rw-r--r-- 1 root root 0 Dec 8 03:03 /proc/sys/kernel/unprivileged_userns_clone and (noticing that the items appear to be short and ascii lines, hence thereupon head :) --8<---------------cut here---------------start------------->8--- od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone 0000000 0 nl 30 0a 0000002 head /proc/sys/kernel/unprivileged_userns_clone 0 --8<---------------cut here---------------end--------------->8--- Not sure this tells you anything useful, but there is also: --8<---------------cut here---------------start------------->8--- head /proc/sys/user/* ==> /proc/sys/user/max_cgroup_namespaces <== 128163 ==> /proc/sys/user/max_inotify_instances <== 128 ==> /proc/sys/user/max_inotify_watches <== 65536 ==> /proc/sys/user/max_ipc_namespaces <== 128163 ==> /proc/sys/user/max_mnt_namespaces <== 128163 ==> /proc/sys/user/max_net_namespaces <== 128163 ==> /proc/sys/user/max_pid_namespaces <== 128163 ==> /proc/sys/user/max_user_namespaces <== 128163 ==> /proc/sys/user/max_uts_namespaces <== 128163 --8<---------------cut here---------------end--------------->8--- HTH some way :) -- Regards, Bengt Richter