From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id YPk2AV14yWPGSAEAbAwnHQ (envelope-from ) for ; Thu, 19 Jan 2023 18:05:33 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id MDrvAF14yWPIJAAAauVa8A (envelope-from ) for ; Thu, 19 Jan 2023 18:05:33 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BB74CA0A1 for ; Thu, 19 Jan 2023 18:05:32 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pIYLc-0005QP-0j; Thu, 19 Jan 2023 12:05:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIYLX-0005PR-WF for bug-guix@gnu.org; Thu, 19 Jan 2023 12:05:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pIYLW-000329-FG for bug-guix@gnu.org; Thu, 19 Jan 2023 12:05:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pIYLV-0002fz-RL for bug-guix@gnu.org; Thu, 19 Jan 2023 12:05:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 19 Jan 2023 17:05:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60890 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 60890@debbugs.gnu.org Received: via spool by 60890-submit@debbugs.gnu.org id=B60890.167414788710256 (code B ref 60890); Thu, 19 Jan 2023 17:05:01 +0000 Received: (at 60890) by debbugs.gnu.org; 19 Jan 2023 17:04:47 +0000 Received: from localhost ([127.0.0.1]:44635 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIYLG-0002fL-K7 for submit@debbugs.gnu.org; Thu, 19 Jan 2023 12:04:46 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50362) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIYLE-0002f7-3e for 60890@debbugs.gnu.org; Thu, 19 Jan 2023 12:04:44 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIYL8-000310-He; Thu, 19 Jan 2023 12:04:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=vPgwM7h8xW7WYZsUohQhYIWk+/UlTPpc4dfjOm0mpBs=; b=SJmGDU8hTy7vIt/qjtAB +GP+LfCGamT73QMfwwwzJDqGqyq0B/Qoc2CJRT1zkOq4CdWFJkSBwgbhjIEtBgKA3CrI6clQqeJN0 dFoppANXW0F+bKLxBN277UX2btFWLjOZwOYSr8fo6WCzMG0cMq7zI3aDUlXJAjDsUGFRlNQjJI1uP SoTB2MUi+621lI1vldygVInacZpX/tRmqdKffYPzgyCIMmKB7RcLSlE5YzMIvjbwbZ6RvkGXkUwqh IWh0DsyiSmqnXRndBURu9JiwhWNrDmK9FnNprnhkFv/aOtVPW0iKJqtdzKc5/y06zTzyivslNwZyL H2wUzMP/MnNZ7A==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pIYKq-000335-B1; Thu, 19 Jan 2023 12:04:29 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87zgahyn5w.fsf@gmail.com> Date: Thu, 19 Jan 2023 18:04:18 +0100 In-Reply-To: <87zgahyn5w.fsf@gmail.com> (Maxim Cournoyer's message of "Tue, 17 Jan 2023 14:30:03 -0500") Message-ID: <87pmba8nhp.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1674147932; a=rsa-sha256; cv=none; b=RZAmruKdvk0yvVY6KjSwBmIxM2HubL3/bcEYuNUtQqYwO0GwmPNrVK4XhKJRQ3lZPCdNlk CldW8/HmlaqU3Y6RfbmYM2xrQEiqR8buhmfcGLOjl3RPLzVi1hHxhJXNLiA0XATtsOynye /RIoL/8quk5gCAnhwASHig6jL1VTdFLxGYpKBijnLpVFBGZfURFuLOL/hQ4MeLUHdLgcAM TYwvJzT98bgYZhr+V/avMpQr7oKeA7wY259NFmiEnifRW8HfNmGJsWjnQK9eIex/uCBNG1 8m3fF6EDHRhvtDrOxRAvqptEw2LUYhYk4D131KcrsIR4FR1kFJP/WoT91li1JA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=SJmGDU8h; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1674147932; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=vPgwM7h8xW7WYZsUohQhYIWk+/UlTPpc4dfjOm0mpBs=; b=MvZlXIlmv9Sp8J+Ps0WuC1ve9lLuXa2zcUtUgSe9iI1DILwoRjZU14g6EvCi6R2u0I2d0L vfpfRg5jgcObYaNLSpqd4VVNMbJgVdNK2Q7KuJHK65zWTxF5Ps4jE+D9LVtgzy1AI3EByh RD7ep3F2GkRN0Uc9CeZoCqsV7J0l72gWgsgsWpnj71QSPyt0ZbvvNo4YPZSqSgGntKrsFd XXu5omFfFSFrDsUnN+RKxsvQU4M0eU+iSg1pvYqqoBLYKSZmHogwdlAqv3FRiJQlKA7cIc YGMUlzAPxPCS9QPhenqzRooWBTKZG8bfo2L4uhDtKluZdKbipiv/XyvPnPByEA== X-Spam-Score: -4.53 X-Migadu-Queue-Id: BB74CA0A1 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=SJmGDU8h; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn0.migadu.com X-Migadu-Spam-Score: -4.53 X-TUID: COAWNIAGCoiY Hello! Maxim Cournoyer skribis: > It was found that using something like: > > (make-forkexec-constructor > (least-authority > (list (file-append coreutils "/bin/true")) > (mappings (delq 'user %namespaces)) > #:user "nobody" > #:group "nobody")) > > Would fail with EPERM, because in order to be able to drop the user > namespace, the CAP_SYS_ADMIN capability is required, but in the above > case, make-forkexec-constructor has already changed the user to > "nobody", which lacks such capability. Thanks for the reminder! I guess the problem is limited to cases where you need the program to run in the global user namespace. For example, Tor does not need to run in the global user namespace, and thus does the following: --8<---------------cut here---------------start------------->8--- (define (tor-shepherd-service config) "Return a running Tor." (let* ((torrc (tor-configuration->torrc config)) (tor (least-authority-wrapper (file-append (tor-configuration-tor config) "/bin/tor") #:name "tor" #:mappings (list =E2=80=A6) #:namespaces (delq 'net %namespaces)))) (list (shepherd-service (provision '(tor)) ;; =E2=80=A6 (start #~(make-forkexec-constructor (list #$tor "-f" #$torrc) #:user "tor" #:group "tor")) (stop #~(make-kill-destructor)) (actions (list (shepherd-configuration-action torrc))) (documentation "Run the Tor anonymous network overlay."))))) --8<---------------cut here---------------end--------------->8--- Here =E2=80=98make-forkexec-constructor=E2=80=99 calls setuid/setgid before= it invokes the wrapped program, and everything=E2=80=99s fine. Ludo=E2=80=99.